sepolicy/metrics_collector.te - device/generic/brillo - Git at Google

 ###############################
 # metrics_collector.
 type metrics_collector, domain;
 type metrics_collector_exec, exec_type, file_type;
 type metrics_collector_data_file, file_type, data_file_type;

 brillo_domain(metrics_collector)

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(metrics_collector)

 # Allow metrics_collector to report metrics.
 allow_metrics_reporting(metrics_collector)

 # Allow metrics_collector to create files in the shared metrics directory.
 allow metrics_collector metrics_data_file:dir rw_dir_perms;
 allow metrics_collector metrics_data_file:file create_file_perms;

 # metrics_collector adds metricscollectorservice binder interface.
 allow metrics_collector metricscollectorservice:service_manager { add find };

 # Allow metrics_collector to talk to weaved over binder.
 allow_call_weave(metrics_collector)

 # Allow metrics_collector to access its own data files.
 allow metrics_collector metrics_collector_data_file:dir rw_dir_perms;
 allow metrics_collector metrics_collector_data_file:file create_file_perms;

 allow metrics_collector block_device:blk_file getattr;
 allow metrics_collector block_device:dir search;

 allow metrics_collector system_file:dir getattr;

 allow metrics_collector labeledfs:filesystem getattr;
 allow metrics_collector sysfs:filesystem getattr;

 r_dir_file(metrics_collector, proc)
 r_dir_file(metrics_collector, sysfs)

 r_dir_file(metrics_collector, sysfs_zram)

 allow metrics_collector proc_meminfo:file r_file_perms;

 # Allow reading os-release.d properties.
 r_dir_file(metrics_collector, os_release_file);

 ################################
 # metrics_client
 type metrics_client_exec, exec_type, file_type;
	###############################
	# metrics_collector.
	type metrics_collector, domain;
	type metrics_collector_exec, exec_type, file_type;
	type metrics_collector_data_file, file_type, data_file_type;

	brillo_domain(metrics_collector)

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(metrics_collector)

	# Allow metrics_collector to report metrics.
	allow_metrics_reporting(metrics_collector)

	# Allow metrics_collector to create files in the shared metrics directory.
	allow metrics_collector metrics_data_file:dir rw_dir_perms;
	allow metrics_collector metrics_data_file:file create_file_perms;

	# metrics_collector adds metricscollectorservice binder interface.
	allow metrics_collector metricscollectorservice:service_manager { add find };

	# Allow metrics_collector to talk to weaved over binder.
	allow_call_weave(metrics_collector)

	# Allow metrics_collector to access its own data files.
	allow metrics_collector metrics_collector_data_file:dir rw_dir_perms;
	allow metrics_collector metrics_collector_data_file:file create_file_perms;

	allow metrics_collector block_device:blk_file getattr;
	allow metrics_collector block_device:dir search;

	allow metrics_collector system_file:dir getattr;

	allow metrics_collector labeledfs:filesystem getattr;
	allow metrics_collector sysfs:filesystem getattr;

	r_dir_file(metrics_collector, proc)
	r_dir_file(metrics_collector, sysfs)

	r_dir_file(metrics_collector, sysfs_zram)

	allow metrics_collector proc_meminfo:file r_file_perms;

	# Allow reading os-release.d properties.
	r_dir_file(metrics_collector, os_release_file);

	################################
	# metrics_client
	type metrics_client_exec, exec_type, file_type;