• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# volume manager
2type iorapd, domain;
3type iorapd_exec, exec_type, file_type, system_file_type;
4type iorapd_tmpfs, file_type;
5
6r_dir_file(iorapd, rootfs)
7
8# Allow read/write /proc/sys/vm/drop/caches
9allow iorapd proc_drop_caches:file rw_file_perms;
10
11# Give iorapd a place where only iorapd can store files; everyone else is off limits
12allow iorapd iorapd_data_file:dir create_dir_perms;
13allow iorapd iorapd_data_file:file create_file_perms;
14
15# Allow iorapd to publish a binder service and make binder calls.
16binder_use(iorapd)
17add_service(iorapd, iorapd_service)
18
19# Allow iorapd to call into the system server so it can check permissions.
20binder_call(iorapd, system_server)
21allow iorapd permission_service:service_manager find;
22# IUserManager
23allow iorapd user_service:service_manager find;
24# IPackageManagerNative
25allow iorapd package_native_service:service_manager find;
26# Allow dumpstate (bugreport) to call into iorapd.
27allow iorapd dumpstate:fd use;
28allow iorapd dumpstate:fifo_file write;
29
30# talk to batteryservice
31binder_call(iorapd, healthd)
32
33# TODO: does each of the service_manager allow finds above need the binder_call?
34
35# iorapd temporarily changes its priority when running benchmarks
36allow iorapd self:global_capability_class_set sys_nice;
37
38# Allow to access Perfetto traced's privileged consumer socket to start/stop
39# tracing sessions and read trace data.
40unix_socket_connect(iorapd, traced_consumer, traced)
41
42# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
43allow iorapd system_file:file rx_file_perms;
44
45# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
46allow iorapd iorap_inode2filename:process signull;
47allow iorapd iorap_prefetcherd:process signull;
48
49# Allowing system_server to check for the existence and size of files under iorapd
50# dir without collecting any sensitive app data.
51# This is used to predict if iorapd is doing prefetching or not.
52allow system_server iorapd_data_file:dir { getattr open read search };
53allow system_server iorapd_data_file:file getattr;
54
55###
56### neverallow rules
57###
58
59neverallow {
60    domain
61    -iorapd
62} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
63
64neverallow {
65    domain
66    -init
67    -iorapd
68    -system_server
69} iorapd_data_file:dir *;
70
71neverallow {
72    domain
73    -kernel
74    -iorapd
75} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
76
77neverallow {
78    domain
79    -init
80    -kernel
81    -vendor_init
82    -iorapd
83    -system_server
84} { iorapd_data_file }:notdevfile_class_set *;
85
86# Only system_server and shell (for dumpsys) can interact with iorapd over binder
87neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
88neverallow iorapd {
89  domain
90  -healthd
91  -servicemanager
92  -system_server
93  userdebug_or_eng(`-su')
94}:binder call;
95
96neverallow { domain -init } iorapd:process { transition dyntransition };
97neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
98