• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Domain to run Car Service (com.android.car)
2app_domain(carservice_app);
3
4# Allow Car Service to be the client of Vehicle and Audio Control HALs
5hal_client_domain(carservice_app, hal_audiocontrol)
6hal_client_domain(carservice_app, hal_health)
7hal_client_domain(carservice_app, hal_vehicle)
8
9# Allow Car Service to use EVS service
10hal_client_domain(carservice_app, hal_evs)
11
12# Allow to set boot.car_service_created property
13set_prop(carservice_app, system_prop)
14
15# Allow Car Service to register/access itself with ServiceManager
16add_service(carservice_app, carservice_service)
17
18# Allow Car Service to access certain system services.
19# Keep alphabetically sorted.
20allow carservice_app {
21    accessibility_service
22    activity_service
23    activity_task_service
24    audio_service
25    audioserver_service
26    autofill_service
27    bluetooth_manager_service
28    connectivity_service
29    content_service
30    device_policy_service
31    deviceidle_service
32    display_service
33    graphicsstats_service
34    input_method_service
35    input_service
36    location_service
37    lock_settings_service
38    media_session_service
39    media_communication_service
40    netstats_service  # for CarTelemetryService
41    network_management_service
42    overlay_service
43    power_service
44    procfsinspector_service
45    sensorservice_service
46    statsmanager_service
47    surfaceflinger_service
48    telecom_service
49    tethering_service
50    thermal_service
51    timedetector_service
52    timezonedetector_service
53    uimode_service
54    voiceinteraction_service
55    wifi_service
56    wifiscanner_service
57}:service_manager find;
58
59# Read and write /data/data subdirectory.
60allow carservice_app system_app_data_file:dir create_dir_perms;
61allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
62# R/W /data/system/car
63allow carservice_app system_car_data_file:dir create_dir_perms;
64allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;
65
66net_domain(carservice_app)
67
68allow carservice_app cgroup:file rw_file_perms;
69
70# For I/O stats tracker
71allow carservice_app proc_uid_io_stats:file { read open getattr };
72
73allow carservice_app procfsinspector:binder call;
74
75# Allow binder calls with statsd
76allow carservice_app statsd:binder call;
77
78# To access /sys/fs/<type>/<partition>/lifetime_write_kbytes
79allow carservice_app sysfs:dir { open read search };
80allow carservice_app sysfs_fs_ext4_features:dir { open read search};
81allow carservice_app sysfs_fs_f2fs:dir { open read search };
82
83# Allow reading and writing /sys/power/
84allow carservice_app sysfs_power:file rw_file_perms;
85
86# Allow reading system property sys.boot.reason
87allow carservice_app system_boot_reason_prop:file { getattr open read map };
88
89## CarBugreportManagerService rules
90set_prop(carservice_app, ctl_start_prop)
91set_prop(carservice_app, ctl_stop_prop)
92unix_socket_connect(carservice_app, dumpstate, dumpstate)
93# Allow setting "dumpstate.dry_run"
94userdebug_or_eng(`
95  set_prop(carservice_app, exported_dumpstate_prop)
96')
97
98# Allow reading vehicle-specific configuration
99get_prop(carservice_app, vehicle_hal_prop)
100
101# Allow CarWatchdogService to access car watchdog daemon
102carwatchdog_client_domain(carservice_app)
103
104# Allow CarPowerManagementService to access car power policy daemon
105allow carservice_app carpowerpolicyd_service:service_manager find;
106
107# For ActivityBlockingActiviy
108allow carservice_app gpu_device:chr_file rw_file_perms;
109allow carservice_app gpu_device:dir r_dir_perms;
110allow carservice_app gpu_service:service_manager find;
111binder_call(carservice_app, gpuservice)
112
113# Allow reading and writing /proc/loadavg/
114allow carservice_app proc_loadavg:file { open read getattr };
115
116# Allow reading /proc/meminfo/ for telemetry
117allow carservice_app proc_meminfo:file { open read getattr };
118
119# Allow finding game_service and content_capture_service
120allow carservice_app game_service:service_manager find;
121allow carservice_app content_capture_service:service_manager find;
122
123# Allow finding hint_service
124allow carservice_app hint_service:service_manager find;
125
126# Allow finding AIDL EVS service
127allow carservice_app evsmanagerd_service:service_manager find;
128