blob: 78ebfaeea853c66867571aa4f23eed53d47ba8cc [file] [log] [blame]
# Temperature sensor daemon (root process)
type thermald, domain;
type thermald_exec, exec_type, file_type;
# Started by init
init_daemon_domain(thermald)
allow thermald self:socket create_socket_perms;
# CPU hotplug uevent
allow thermald self:netlink_kobject_uevent_socket { create setopt bind read };
# b/12450712: The dac_override should likely be fixed. It is included to
# allow access to a few /sys/module/msm_thermal/ files. Once
# the proper perms on those files are fixed this can likely be
# reverted. We also want to auditallow every instance
# of dac_override to track its behavior.
allow thermald self:capability { dac_override net_admin };
auditallow thermald self:capability dac_override;
# Talk to qmuxd (/dev/socket/qmux_radio)
qmux_socket(thermald)
# Access shared logger (/dev/smem_log)
allow thermald shared_log_device:chr_file rw_file_perms;
# Access /sys/devices/system/cpu/
allow thermald sysfs_devices_system_cpu:file rw_file_perms;
# Some files in /sys/devices/system/cpu may pop in and out of existance,
# defeating our attempt to label them. As a result, they could have the
# sysfs label, not the sysfs_devices_system_cpu label.
# Allow write access for now until we figure out a better solution.
# For example, the following files pop in and out of existance:
# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq
# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
allow thermald sysfs:file write;
# Create and access to /dev/socket/thermal-.*
type_transition thermald socket_device:sock_file thermald_socket;
allow thermald socket_device:dir w_dir_perms;
allow thermald thermald_socket:sock_file create_file_perms;
# Connect to mpdecision.
allow thermald mpdecision_socket:dir r_dir_perms;
unix_socket_connect(thermald, mpdecision, mpdecision)
# Access to /dev/msm_thermal_query
allow thermald thermal_engine_device:chr_file rw_file_perms;