1# healthd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type healthd, domain; 4 5# Write to /dev/kmsg 6allow healthd kmsg_device:chr_file rw_file_perms; 7 8allow healthd self:capability { net_admin sys_tty_config }; 9wakelock_use(healthd) 10allow healthd self:netlink_kobject_uevent_socket create_socket_perms; 11binder_use(healthd) 12binder_service(healthd) 13binder_call(healthd, system_server) 14 15# Write to state file. 16# TODO: Split into a separate type? 17allow healthd sysfs:file write; 18 19### 20### healthd: charger mode 21### 22 23# Read /sys/fs/pstore/console-ramoops 24# Don't worry about overly broad permissions for now, as there's 25# only one file in /sys/fs/pstore 26allow healthd pstorefs:dir r_dir_perms; 27allow healthd pstorefs:file r_file_perms; 28 29allow healthd graphics_device:dir r_dir_perms; 30allow healthd graphics_device:chr_file rw_file_perms; 31allow healthd input_device:dir r_dir_perms; 32allow healthd input_device:chr_file r_file_perms; 33allow healthd tty_device:chr_file rw_file_perms; 34allow healthd ashmem_device:chr_file execute; 35allow healthd self:process execmem; 36allow healthd proc_sysrq:file rw_file_perms; 37allow healthd self:capability sys_boot; 38 39allow healthd healthd_service:service_manager { add find }; 40 41# Healthd needs to tell init to continue the boot 42# process when running in charger mode. 43set_prop(healthd, system_prop) 44