1type statsd, domain, mlstrustedsubject; 2 3type statsd_exec, system_file_type, exec_type, file_type; 4binder_use(statsd) 5 6# Allow statsd to scan through /proc/pid for all processes. 7r_dir_file(statsd, domain) 8 9# Allow executing files on system, such as running a shell or running: 10# /system/bin/toolbox 11# /system/bin/logcat 12# /system/bin/dumpsys 13allow statsd devpts:chr_file { getattr ioctl read write }; 14allow statsd shell_exec:file rx_file_perms; 15allow statsd system_file:file execute_no_trans; 16allow statsd toolbox_exec:file rx_file_perms; 17 18userdebug_or_eng(` 19 allow statsd su:fifo_file read; 20') 21 22# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. 23allow statsd stats_data_file:dir create_dir_perms; 24allow statsd stats_data_file:file create_file_perms; 25 26# Allow statsd to make binder calls to any binder service. 27binder_call(statsd, appdomain) 28binder_call(statsd, healthd) 29binder_call(statsd, incidentd) 30binder_call(statsd, system_server) 31 32# Allow statsd to interact with gpuservice 33allow statsd gpu_service:service_manager find; 34binder_call(statsd, gpuservice) 35 36# Allow statsd to interact with keystore to pull atoms 37allow statsd keystore_service:service_manager find; 38binder_call(statsd, keystore) 39 40# Allow statsd to interact with mediametrics 41allow statsd mediametrics_service:service_manager find; 42binder_call(statsd, mediametrics) 43 44# Allow logd access. 45read_logd(statsd) 46control_logd(statsd) 47 48# Grant statsd with permissions to register the services. 49allow statsd { 50 app_api_service 51 incident_service 52 system_api_service 53}:service_manager find; 54 55# Grant statsd to access health hal to access battery metrics. 56allow statsd hal_health_hwservice:hwservice_manager find; 57 58# Allow statsd to send dump info to dumpstate 59allow statsd dumpstate:fd use; 60allow statsd dumpstate:fifo_file { getattr write }; 61 62# Allow access to with hardware layer and process stats. 63allow statsd proc_uid_cputime_showstat:file { getattr open read }; 64hal_client_domain(statsd, hal_health) 65hal_client_domain(statsd, hal_power) 66hal_client_domain(statsd, hal_power_stats) 67hal_client_domain(statsd, hal_thermal) 68 69# Allow 'adb shell cmd' to upload configs and download output. 70allow statsd adbd:fd use; 71allow statsd adbd:unix_stream_socket { getattr read write }; 72allow statsd shell:fifo_file { getattr read write }; 73 74unix_socket_send(statsd, statsdw, statsd) 75 76### 77### neverallow rules 78### 79 80# Only statsd and the other root services in limited circumstances. 81# can get to the files in /data/misc/stats-data, /data/misc/stats-service. 82# Other services are prohibitted from accessing the file. 83neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; 84 85# Limited access to the directory itself. 86neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; 87