• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Domain to run Car Service (com.android.car)
2app_domain(carservice_app);
3
4# Allow Car Service to be the client of Vehicle and Audio Control HALs
5hal_client_domain(carservice_app, hal_audiocontrol)
6hal_client_domain(carservice_app, hal_health)
7hal_client_domain(carservice_app, hal_vehicle)
8
9# Allow Car Service to be the client of remoteaccess HAL.
10hal_client_domain(carservice_app, hal_remoteaccess)
11
12# Allow Car Service to use EVS service
13hal_client_domain(carservice_app, hal_evs)
14
15# Allow Car Service to use IVN HAL.
16hal_client_domain(carservice_app, hal_ivn)
17
18# Allow to set boot.car_service_created property
19set_prop(carservice_app, system_prop)
20
21# Allow Car Service to register/access itself with ServiceManager
22add_service(carservice_app, carservice_service)
23
24# Allow Car Service to access certain system services.
25# Keep alphabetically sorted.
26allow carservice_app {
27    accessibility_service
28    activity_service
29    activity_task_service
30    audio_service
31    audioserver_service
32    autofill_service
33    bluetooth_manager_service
34    connectivity_service
35    content_service
36    device_policy_service
37    deviceidle_service
38    display_service
39    graphicsstats_service
40    input_method_service
41    input_service
42    location_service
43    lock_settings_service
44    media_session_service
45    media_communication_service
46    netstats_service  # for CarTelemetryService
47    network_management_service
48    overlay_service
49    power_service
50    procfsinspector_service
51    sensorservice_service
52    statsmanager_service
53    surfaceflinger_service
54    telecom_service
55    tethering_service
56    thermal_service
57    timedetector_service
58    timezonedetector_service
59    uimode_service
60    usagestats_service
61    voiceinteraction_service
62    wifi_service
63    wifiscanner_service
64}:service_manager find;
65
66# Read and write /data/data subdirectory.
67allow carservice_app system_app_data_file:dir create_dir_perms;
68allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
69# R/W /data/system/car
70allow carservice_app system_car_data_file:dir create_dir_perms;
71allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;
72
73net_domain(carservice_app)
74
75allow carservice_app cgroup:file rw_file_perms;
76
77# For I/O stats tracker
78allow carservice_app proc_uid_io_stats:file { read open getattr };
79
80allow carservice_app procfsinspector:binder call;
81
82# Allow binder calls with statsd
83allow carservice_app statsd:binder call;
84
85# To access /sys/fs/<type>/<partition>/lifetime_write_kbytes
86allow carservice_app sysfs:dir { open read search };
87allow carservice_app sysfs_fs_ext4_features:dir { open read search};
88allow carservice_app sysfs_fs_f2fs:dir { open read search };
89
90# Allow reading and writing /sys/power/
91allow carservice_app sysfs_power:file rw_file_perms;
92
93# Allow reading system property sys.boot.reason
94allow carservice_app system_boot_reason_prop:file { getattr open read map };
95
96## CarBugreportManagerService rules
97set_prop(carservice_app, ctl_start_prop)
98set_prop(carservice_app, ctl_stop_prop)
99unix_socket_connect(carservice_app, dumpstate, dumpstate)
100# Allow setting "dumpstate.dry_run"
101userdebug_or_eng(`
102  set_prop(carservice_app, exported_dumpstate_prop)
103')
104
105# Allow reading vehicle-specific configuration
106get_prop(carservice_app, vehicle_hal_prop)
107
108# Allow writing carwatchdog configuration
109set_prop(carservice_app, carwatchdog_config_prop)
110
111# Allow CarWatchdogService to access car watchdog daemon
112carwatchdog_client_domain(carservice_app)
113
114# Allow CarPowerManagementService to access car power policy daemon
115allow carservice_app carpowerpolicyd_service:service_manager find;
116
117# For ActivityBlockingActiviy
118allow carservice_app gpu_device:chr_file rw_file_perms;
119allow carservice_app gpu_device:dir r_dir_perms;
120allow carservice_app gpu_service:service_manager find;
121binder_call(carservice_app, gpuservice)
122
123# Allow reading and writing /proc/loadavg/
124allow carservice_app proc_loadavg:file { open read getattr };
125
126# Allow reading /proc/meminfo/ for telemetry
127allow carservice_app proc_meminfo:file { open read getattr };
128
129# Allow finding game_service and content_capture_service
130allow carservice_app game_service:service_manager find;
131allow carservice_app content_capture_service:service_manager find;
132
133# Allow finding hint_service
134allow carservice_app hint_service:service_manager find;
135
136# Allow finding AIDL EVS service
137allow carservice_app evsmanagerd_service:service_manager find;
138