| # Temperature sensor daemon (root process) |
| type thermald, domain; |
| type thermald_exec, exec_type, file_type; |
| |
| # Started by init |
| init_daemon_domain(thermald) |
| |
| allow thermald self:socket create_socket_perms; |
| |
| # CPU hotplug uevent |
| allow thermald self:netlink_kobject_uevent_socket { create setopt bind read }; |
| # b/12450712: The dac_override should likely be fixed. It is included to |
| # allow access to a few /sys/module/msm_thermal/ files. Once |
| # the proper perms on those files are fixed this can likely be |
| # reverted. We also want to auditallow every instance |
| # of dac_override to track its behavior. |
| allow thermald self:capability { dac_override net_admin }; |
| auditallow thermald self:capability dac_override; |
| |
| # Talk to qmuxd (/dev/socket/qmux_radio) |
| qmux_socket(thermald) |
| |
| # Access shared logger (/dev/smem_log) |
| allow thermald shared_log_device:chr_file rw_file_perms; |
| |
| # Access /sys/devices/system/cpu/ |
| allow thermald sysfs_devices_system_cpu:file rw_file_perms; |
| |
| # Some files in /sys/devices/system/cpu may pop in and out of existance, |
| # defeating our attempt to label them. As a result, they could have the |
| # sysfs label, not the sysfs_devices_system_cpu label. |
| # Allow write access for now until we figure out a better solution. |
| # For example, the following files pop in and out of existance: |
| # /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq |
| # /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq |
| allow thermald sysfs:file write; |
| |
| # Create and access to /dev/socket/thermal-.* |
| type_transition thermald socket_device:sock_file thermald_socket; |
| allow thermald socket_device:dir w_dir_perms; |
| allow thermald thermald_socket:sock_file create_file_perms; |
| |
| # Connect to mpdecision. |
| allow thermald mpdecision_socket:dir r_dir_perms; |
| unix_socket_connect(thermald, mpdecision, mpdecision) |
| |
| # Access to /dev/msm_thermal_query |
| allow thermald thermal_engine_device:chr_file rw_file_perms; |