sepolicy/sensorservice.te - device/generic/brillo - Git at Google

 type sensorservice, domain;
 type sensorservice_exec, exec_type, file_type;

 brillo_domain(sensorservice)

 # Allow sensorservice to be discovered by servicemanager and use binder.
 allow sensorservice sensorservice_service:service_manager add;
 allow sensorservice servicemanager:binder { transfer call };

 # Allow servicemanager to access sensorservice.
 allow servicemanager sensorservice:dir search;
 allow servicemanager sensorservice:file r_file_perms;
 allow servicemanager sensorservice:process getattr;

 # Allow crash_reporter access to core dump files.
 allow_crash_reporter(sensorservice)

 allow sensorservice cpuctl_device:dir search;

 allow sensorservice proc_net:dir search;
 allow sensorservice proc_net:file r_file_perms;

 allow sensorservice sysfs:dir r_dir_perms;
 allow sensorservice sysfs:file r_file_perms;
 allow sensorservice sysfs:lnk_file read;

 allow sensorservice self:capability { net_admin sys_nice };
	type sensorservice, domain;
	type sensorservice_exec, exec_type, file_type;

	brillo_domain(sensorservice)

	# Allow sensorservice to be discovered by servicemanager and use binder.
	allow sensorservice sensorservice_service:service_manager add;
	allow sensorservice servicemanager:binder { transfer call };

	# Allow servicemanager to access sensorservice.
	allow servicemanager sensorservice:dir search;
	allow servicemanager sensorservice:file r_file_perms;
	allow servicemanager sensorservice:process getattr;

	# Allow crash_reporter access to core dump files.
	allow_crash_reporter(sensorservice)

	allow sensorservice cpuctl_device:dir search;

	allow sensorservice proc_net:dir search;
	allow sensorservice proc_net:file r_file_perms;

	allow sensorservice sysfs:dir r_dir_perms;
	allow sensorservice sysfs:file r_file_perms;
	allow sensorservice sysfs:lnk_file read;

	allow sensorservice self:capability { net_admin sys_nice };