# Domain to run Car Service (com.android.car) app_domain(carservice_app); # Allow Car Service to be the client of Vehicle and Audio Control HALs hal_client_domain(carservice_app, hal_audiocontrol) hal_client_domain(carservice_app, hal_health) hal_client_domain(carservice_app, hal_vehicle) # Allow Car Service to use EVS service hal_client_domain(carservice_app, hal_evs) # Allow to set boot.car_service_created property set_prop(carservice_app, system_prop) # Allow Car Service to register/access itself with ServiceManager add_service(carservice_app, carservice_service) # Allow Car Service to access certain system services. # Keep alphabetically sorted. allow carservice_app { accessibility_service activity_service activity_task_service audio_service audioserver_service autofill_service bluetooth_manager_service connectivity_service content_service deviceidle_service display_service graphicsstats_service input_method_service input_service location_service lock_settings_service media_session_service network_management_service power_service procfsinspector_service sensorservice_service statsmanager_service surfaceflinger_service telecom_service tethering_service thermal_service uimode_service voiceinteraction_service wifi_service wifiscanner_service }:service_manager find; # Read and write /data/data subdirectory. allow carservice_app system_app_data_file:dir create_dir_perms; allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms; # R/W /data/system/car allow carservice_app system_car_data_file:dir create_dir_perms; allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms; net_domain(carservice_app) allow carservice_app cgroup:file rw_file_perms; # For I/O stats tracker allow carservice_app proc_uid_io_stats:file { read open getattr }; allow carservice_app procfsinspector:binder call; # Allow binder calls with statsd allow carservice_app statsd:binder call; # To access /sys/fs///lifetime_write_kbytes allow carservice_app sysfs:dir { open read search }; allow carservice_app sysfs_fs_ext4_features:dir { open read search}; allow carservice_app sysfs_fs_f2fs:dir { open read search }; # Allow reading and writing /sys/power/ allow carservice_app sysfs_power:file rw_file_perms; # Allow reading system property sys.boot.reason allow carservice_app system_boot_reason_prop:file { getattr open read map }; ## CarBugreportManagerService rules set_prop(carservice_app, ctl_start_prop) set_prop(carservice_app, ctl_stop_prop) unix_socket_connect(carservice_app, dumpstate, dumpstate) # Allow setting "dumpstate.dry_run" userdebug_or_eng(` set_prop(carservice_app, exported_dumpstate_prop) ') # Allow reading vehicle-specific configuration get_prop(carservice_app, vehicle_hal_prop) # Allow CarWatchdogService to access car watchdog daemon carwatchdog_client_domain(carservice_app) # Allow CarPowerManagementService to access car power policy daemon allow carservice_app carpowerpolicyd_service:service_manager find; # For ActivityBlockingActiviy allow carservice_app gpu_device:chr_file rw_file_perms; allow carservice_app gpu_device:dir r_dir_perms; allow carservice_app gpu_service:service_manager find; binder_call(carservice_app, gpuservice)