• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Domain to run Car Service (com.android.car)
2app_domain(carservice_app);
3
4# Allow Car Service to be the client of Vehicle and Audio Control HALs
5hal_client_domain(carservice_app, hal_audiocontrol)
6hal_client_domain(carservice_app, hal_health)
7hal_client_domain(carservice_app, hal_vehicle)
8
9# Allow Car Service to be the client of remoteaccess HAL.
10hal_client_domain(carservice_app, hal_remoteaccess)
11
12# Allow Car Service to use EVS service
13hal_client_domain(carservice_app, hal_evs)
14
15# Allow Car Service to use IVN HAL.
16hal_client_domain(carservice_app, hal_ivn)
17
18# Allow to set boot.car_service_created property
19set_prop(carservice_app, system_prop)
20
21# Allow Car Service to register/access itself with ServiceManager
22add_service(carservice_app, carservice_service)
23
24# Allow Car Service to access certain system services.
25# Keep alphabetically sorted.
26allow carservice_app {
27    accessibility_service
28    activity_service
29    activity_task_service
30    audio_service
31    audioserver_service
32    autofill_service
33    bluetooth_manager_service
34    connectivity_service
35    content_service
36    device_policy_service
37    deviceidle_service
38    display_service
39    graphicsstats_service
40    input_method_service
41    input_service
42    location_service
43    lock_settings_service
44    media_session_service
45    media_communication_service
46    netstats_service  # for CarTelemetryService
47    network_management_service
48    overlay_service
49    power_service
50    procfsinspector_service
51    radio_service
52    registry_service
53    sensorservice_service
54    statsmanager_service
55    surfaceflinger_service
56    telecom_service
57    tethering_service
58    thermal_service
59    timedetector_service
60    timezonedetector_service
61    uimode_service
62    usagestats_service
63    voiceinteraction_service
64    wifi_service
65    wifiscanner_service
66}:service_manager find;
67
68# Read and write /data/data subdirectory.
69allow carservice_app system_app_data_file:dir create_dir_perms;
70allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
71# R/W /data/system/car
72allow carservice_app system_car_data_file:dir create_dir_perms;
73allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;
74
75net_domain(carservice_app)
76
77allow carservice_app cgroup:file rw_file_perms;
78
79# For I/O stats tracker
80allow carservice_app proc_uid_io_stats:file { read open getattr };
81
82allow carservice_app procfsinspector:binder call;
83
84# Allow binder calls with statsd
85allow carservice_app statsd:binder call;
86
87# To access /sys/fs/<type>/<partition>/lifetime_write_kbytes
88allow carservice_app sysfs_fs_lifetime_write:file { getattr open read };
89allow carservice_app sysfs:dir { open read search };
90allow carservice_app sysfs_fs_ext4_features:dir { open read search};
91allow carservice_app sysfs_fs_f2fs:dir { open read search };
92
93# Allow reading and writing /sys/power/
94allow carservice_app sysfs_power:file rw_file_perms;
95
96# Allow reading system property sys.boot.reason
97allow carservice_app system_boot_reason_prop:file { getattr open read map };
98
99## CarBugreportManagerService rules
100set_prop(carservice_app, ctl_start_prop)
101set_prop(carservice_app, ctl_stop_prop)
102unix_socket_connect(carservice_app, dumpstate, dumpstate)
103# Allow setting "dumpstate.dry_run"
104userdebug_or_eng(`
105  set_prop(carservice_app, exported_dumpstate_prop)
106')
107
108# Allow reading vehicle-specific configuration
109get_prop(carservice_app, vehicle_hal_prop)
110
111# Allow writing carwatchdog configuration
112set_prop(carservice_app, carwatchdog_config_prop)
113
114# Allow CarWatchdogService to access car watchdog daemon
115carwatchdog_client_domain(carservice_app)
116
117# Allow CarPowerManagementService to access car power policy daemon
118allow carservice_app carpowerpolicyd_service:service_manager find;
119
120# Allow CarPowerManagementService to serve a callback from car power policy daemon
121carpowerpolicy_callback_domain(carservice_app)
122
123# For ActivityBlockingActiviy
124allow carservice_app gpu_device:chr_file rw_file_perms;
125allow carservice_app gpu_device:dir r_dir_perms;
126allow carservice_app gpu_service:service_manager find;
127binder_call(carservice_app, gpuservice)
128
129# Allow reading and writing /proc/loadavg/
130allow carservice_app proc_loadavg:file { open read getattr };
131
132# Allow reading /proc/meminfo/ for telemetry
133allow carservice_app proc_meminfo:file { open read getattr };
134
135# Allow finding game_service and content_capture_service
136allow carservice_app game_service:service_manager find;
137allow carservice_app content_capture_service:service_manager find;
138
139# Allow finding hint_service
140allow carservice_app hint_service:service_manager find;
141
142# Allow finding AIDL EVS service
143allow carservice_app evsmanagerd_service:service_manager find;
144
145# Allow reading car boot information
146get_prop(carservice_app, car_boot_prop);
147
148set_prop(carservice_app, hibernation_prop);
149