| # Integrated qualcomm sensor process |
| type sensors, domain; |
| type sensors_exec, exec_type, file_type; |
| |
| # Started by init |
| init_daemon_domain(sensors) |
| |
| # drop privileges |
| allow sensors self:capability { dac_override sys_nice chown setuid setgid net_bind_service}; |
| |
| # b/18417109 |
| # The kernel code does a permission check of both net_bind_service and |
| # net_raw, and allows access if either one returns true. |
| # It does the net_raw check first, triggering an SELinux denial. |
| # No need to audit |
| dontaudit sensors self:capability net_raw; |
| |
| allow sensors persist_sensors_file:dir setattr; |
| |
| allow sensors shared_log_device:chr_file rw_file_perms; |
| |
| # Access power management controls |
| allow sensors power_control_device:chr_file w_file_perms; |
| |
| allow sensors sensors_device:chr_file rw_file_perms; |
| type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket"; |
| allow sensors sensors_socket:sock_file create_file_perms; |
| allow sensors socket_device:dir { add_name write remove_name }; |
| |
| # Wake lock access |
| wakelock_use(sensors) |
| |
| # Access to /persist/sensors |
| allow sensors persist_file:dir r_dir_perms; |
| allow sensors persist_sensors_file:dir rw_dir_perms; |
| allow sensors persist_sensors_file:file create_file_perms; |
| |
| allow sensors self:socket *; |