sepolicy/metrics_collector.te - device/generic/brillo - Git at Google

 ###############################
 # metrics_collector.
 type metrics_collector, domain;
 type metrics_collector_exec, exec_type, file_type;
 type metrics_collector_data_file, file_type, data_file_type;

 brillo_domain(metrics_collector)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(metrics_collector)

 # Allow metrics_collector to report metrics.
 allow_metrics_reporting(metrics_collector)

 # Allow metrics_collector to create files in the shared metrics directory.
 allow metrics_collector metrics_data_file:dir rw_dir_perms;
 allow metrics_collector metrics_data_file:file create_file_perms;

 # Rules for the metrics_collector daemon.
 allow metrics_collector metrics_collector_data_file:dir rw_dir_perms;
 allow metrics_collector metrics_collector_data_file:file create_file_perms;
 allow metrics_collector block_device:blk_file getattr;
 allow metrics_collector block_device:dir search;

 allow metrics_collector labeledfs:filesystem getattr;
 allow metrics_collector proc:dir search;
 allow metrics_collector proc:file r_file_perms;
 allow metrics_collector sysfs:dir read;
 allow metrics_collector sysfs_devices_system_cpu:dir search;

 allow metrics_collector sysfs:dir open;
 allow metrics_collector sysfs:file r_file_perms;
 allow metrics_collector sysfs:filesystem getattr;
 allow metrics_collector sysfs:lnk_file read;

 r_dir_file(metrics_collector, sysfs_devices_system_cpu)

 allow metrics_collector system_file:dir getattr;

 # Allow reading os-release.d properties.
 r_dir_file(metrics_collector, os_release_file);

 # Reduce logging.
 dontaudit metrics_collector debugfs:dir search;

 ################################
 # metrics_client
 type metrics_client_exec, exec_type, file_type;
	###############################
	# metrics_collector.
	type metrics_collector, domain;
	type metrics_collector_exec, exec_type, file_type;
	type metrics_collector_data_file, file_type, data_file_type;

	brillo_domain(metrics_collector)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(metrics_collector)

	# Allow metrics_collector to report metrics.
	allow_metrics_reporting(metrics_collector)

	# Allow metrics_collector to create files in the shared metrics directory.
	allow metrics_collector metrics_data_file:dir rw_dir_perms;
	allow metrics_collector metrics_data_file:file create_file_perms;

	# Rules for the metrics_collector daemon.
	allow metrics_collector metrics_collector_data_file:dir rw_dir_perms;
	allow metrics_collector metrics_collector_data_file:file create_file_perms;
	allow metrics_collector block_device:blk_file getattr;
	allow metrics_collector block_device:dir search;

	allow metrics_collector labeledfs:filesystem getattr;
	allow metrics_collector proc:dir search;
	allow metrics_collector proc:file r_file_perms;
	allow metrics_collector sysfs:dir read;
	allow metrics_collector sysfs_devices_system_cpu:dir search;

	allow metrics_collector sysfs:dir open;
	allow metrics_collector sysfs:file r_file_perms;
	allow metrics_collector sysfs:filesystem getattr;
	allow metrics_collector sysfs:lnk_file read;

	r_dir_file(metrics_collector, sysfs_devices_system_cpu)

	allow metrics_collector system_file:dir getattr;

	# Allow reading os-release.d properties.
	r_dir_file(metrics_collector, os_release_file);

	# Reduce logging.
	dontaudit metrics_collector debugfs:dir search;

	################################
	# metrics_client
	type metrics_client_exec, exec_type, file_type;