| ##################################### |
| # brillo_domain(domain) |
| # Allow a base set of permissions common across Brillo daemons. |
| define(`brillo_domain', ` |
| init_daemon_domain($1) |
| # Allow using binder and performing IPC to system services. |
| binder_use($1) |
| binder_service($1) |
| # Allow connections to dbus_daemon. |
| unix_socket_connect($1, dbus_daemon, dbus_daemon) |
| |
| # Allow access to cgroups mount point at /acct. |
| allow $1 cgroup:dir search; |
| allow $1 cgroup:file w_file_perms; |
| |
| # Allow access to files in /proc. |
| # Fixes denials like: |
| # avc: denied { read } for pid=1267 comm="peripheralman" name="misc" dev="proc" |
| # ino=4026531967 scontext=u:r:peripheralman:s0 |
| # tcontext=u:object_r:proc:s0 tclass=file permissive=0 |
| allow $1 proc:file r_file_perms; |
| |
| # Cut down on spam. |
| dontaudit $1 kernel:system module_request; |
| ') |
| |
| ##################################### |
| # allow_crash_reporter(domain) |
| # Allow crash_reporter to access crashes for a domain. |
| define(`allow_crash_reporter', ` |
| r_dir_file(crash_reporter, $1) |
| allow crash_reporter $1_exec:file r_file_perms; |
| ') |
| |
| ##################################### |
| # allow_power_management(domain) |
| # Allow a domain to control power management. |
| define(`allow_power_management', ` |
| allow $1 power_service:service_manager find; |
| binder_call($1, nativepowerman) |
| ') |
| |
| ##################################### |
| # allow_metrics_reporting(domain) |
| # Allow a domain to log metrics using libmetrics. |
| define(`allow_metrics_reporting', ` |
| allow $1 metricsd_service:service_manager find; |
| binder_use($1) |
| binder_call($1, metricsd) |
| allow $1 metrics_data_file:dir r_dir_perms; |
| allow $1 metrics_data_file:file r_file_perms; |
| ') |
| |
| ##################################### |
| # allow_metrics_event_reporting(domain) |
| # Allow a domain to report events using libmetricscollectorservice. |
| define(`allow_metrics_event_reporting', ` |
| allow $1 metricscollectorservice:service_manager find; |
| binder_call($1, metrics_collector) |
| ') |
| |
| ##################################### |
| # use_webservd(domain) |
| # Allow a domain to talk to webservd. |
| define(`use_webservd', ` |
| allow $1 webservd:fd use; |
| allow $1 webservd:fifo_file rw_file_perms; |
| allow $1 webservd_data_file:file r_file_perms; |
| ') |
| |
| ##################################### |
| # allow_call_weave(domain) |
| # Allow a domain and weaved to communicate with each other over binder. |
| define(`allow_call_weave', ` |
| allow $1 weave_service:service_manager find; |
| binder_call($1, weaved) |
| binder_call(weaved, $1) |
| ') |
| |
| ##################################### |
| # allow_call_update_engine(domain) |
| # Allow a domain and update_engine to communicate with each other over binder. |
| define(`allow_call_update_engine', ` |
| allow $1 update_engine_service:service_manager find; |
| binder_call($1, update_engine) |
| binder_call(update_engine, $1) |
| ') |