# healthd - battery/charger monitoring service daemon type healthd, domain; type healthd_exec, system_file_type, exec_type, file_type; # Write to /dev/kmsg allow healthd kmsg_device:chr_file rw_file_perms; # Read access to pseudo filesystems. allow healthd sysfs_type:dir search; # Allow to read /sys/class/power_supply directory. allow healthd sysfs:dir r_dir_perms; r_dir_file(healthd, rootfs) r_dir_file(healthd, cgroup) r_dir_file(healthd, cgroup_v2) allow healthd self:global_capability_class_set { sys_tty_config }; allow healthd self:global_capability_class_set sys_boot; dontaudit healthd self:global_capability_class_set sys_resource; allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; wakelock_use(healthd) hal_client_domain(healthd, hal_health) # Read/write to /sys/power/state allow healthd sysfs_power:file rw_file_perms; # TODO: added to match above sysfs rule. Remove me? allow healthd sysfs_usb:file write; r_dir_file(healthd, sysfs_batteryinfo) ### ### healthd: charger mode ### # Read /sys/fs/pstore/console-ramoops # Don't worry about overly broad permissions for now, as there's # only one file in /sys/fs/pstore allow healthd pstorefs:dir r_dir_perms; allow healthd pstorefs:file r_file_perms; allow healthd graphics_device:dir r_dir_perms; allow healthd graphics_device:chr_file rw_file_perms; allow healthd input_device:dir r_dir_perms; allow healthd input_device:chr_file r_file_perms; allow healthd tty_device:chr_file rw_file_perms; allow healthd ashmem_device:chr_file execute; allow healthd proc_sysrq:file rw_file_perms;