# Temperature sensor daemon (root process)
type thermald, domain;
type thermald_exec, exec_type, file_type;

# Started by init
init_daemon_domain(thermald)

allow thermald self:socket create_socket_perms;

# CPU hotplug uevent
allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
# b/12450712: The dac_override should likely be fixed. It is included to
# allow access to a few /sys/module/msm_thermal/ files. Once
# the proper perms on those files are fixed this can likely be
# reverted. We also want to auditallow every instance
# of dac_override to track its behavior.
allow thermald self:capability { dac_override net_admin };
auditallow thermald self:capability dac_override;

# Talk to qmuxd (/dev/socket/qmux_radio)
qmux_socket(thermald)

# Access shared logger (/dev/smem_log)
allow thermald shared_log_device:chr_file rw_file_perms;

# Access /sys/devices/system/cpu/
allow thermald sysfs_devices_system_cpu:file rw_file_perms;

# Some files in /sys/devices/system/cpu may pop in and out of existance,
# defeating our attempt to label them. As a result, they could have the
# sysfs label, not the sysfs_devices_system_cpu label.
# Allow write access for now until we figure out a better solution.
# For example, the following files pop in and out of existance:
# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
allow thermald sysfs:file write;

# Create and access to /dev/socket/thermal-.*
type_transition thermald socket_device:sock_file thermald_socket;
allow thermald socket_device:dir w_dir_perms;
allow thermald thermald_socket:sock_file create_file_perms;

# Connect to mpdecision.
allow thermald mpdecision_socket:dir r_dir_perms;
unix_socket_connect(thermald, mpdecision, mpdecision)

# Access to /dev/msm_thermal_query
allow thermald thermal_engine_device:chr_file rw_file_perms;