1type lpdumpd, domain, coredomain; 2type lpdumpd_exec, system_file_type, exec_type, file_type; 3 4init_daemon_domain(lpdumpd) 5 6# Allow lpdumpd to register itself as a service. 7binder_use(lpdumpd) 8add_service(lpdumpd, lpdump_service) 9 10# Allow lpdumpd to find the super partition block device. 11allow lpdumpd block_device:dir r_dir_perms; 12 13# Allow lpdumpd to read super partition metadata. 14allow lpdumpd super_block_device_type:blk_file r_file_perms; 15 16# Allow lpdumpd to read fstab. 17allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; 18allow lpdumpd sysfs_dt_firmware_android:file r_file_perms; 19read_fstab(lpdumpd) 20 21### Neverallow rules 22 23# Disallow other domains to get lpdump_service and call lpdumpd. 24neverallow { 25 domain 26 -dumpstate 27 -lpdumpd 28 -shell 29} lpdump_service:service_manager find; 30 31neverallow { 32 domain 33 -dumpstate 34 -lpdumpd 35 -shell 36 -servicemanager 37} lpdumpd:binder call; 38