prebuilts/api/30.0/public/iorapd.te - platform/system/sepolicy - Git at Google

 # volume manager
 type iorapd, domain;
 type iorapd_exec, exec_type, file_type, system_file_type;
 type iorapd_tmpfs, file_type;

 r_dir_file(iorapd, rootfs)

 # Allow read/write /proc/sys/vm/drop/caches
 allow iorapd proc_drop_caches:file rw_file_perms;

 # Give iorapd a place where only iorapd can store files; everyone else is off limits
 allow iorapd iorapd_data_file:dir create_dir_perms;
 allow iorapd iorapd_data_file:file create_file_perms;

 # Allow iorapd to publish a binder service and make binder calls.
 binder_use(iorapd)
 add_service(iorapd, iorapd_service)

 # Allow iorapd to call into the system server so it can check permissions.
 binder_call(iorapd, system_server)
 allow iorapd permission_service:service_manager find;
 # IUserManager
 allow iorapd user_service:service_manager find;
 # IPackageManagerNative
 allow iorapd package_native_service:service_manager find;
 # Allow dumpstate (bugreport) to call into iorapd.
 allow iorapd dumpstate:fd use;
 allow iorapd dumpstate:fifo_file write;

 # talk to batteryservice
 binder_call(iorapd, healthd)

 # TODO: does each of the service_manager allow finds above need the binder_call?

 # iorapd temporarily changes its priority when running benchmarks
 allow iorapd self:global_capability_class_set sys_nice;

 # Allow to access Perfetto traced's privileged consumer socket to start/stop
 # tracing sessions and read trace data.
 unix_socket_connect(iorapd, traced_consumer, traced)

 # Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
 allow iorapd system_file:file rx_file_perms;

 # Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
 allow iorapd iorap_inode2filename:process signull;
 allow iorapd iorap_prefetcherd:process signull;

 # Allowing system_server to check for the existence and size of files under iorapd
 # dir without collecting any sensitive app data.
 # This is used to predict if iorapd is doing prefetching or not.
 allow system_server iorapd_data_file:dir { getattr open read search };
 allow system_server iorapd_data_file:file getattr;

 ###
 ### neverallow rules
 ###

 neverallow {
     domain
     -iorapd
 } iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };

 neverallow {
     domain
     -init
     -iorapd
     -system_server
 } iorapd_data_file:dir *;

 neverallow {
     domain
     -kernel
     -iorapd
 } iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };

 neverallow {
     domain
     -init
     -kernel
     -vendor_init
     -iorapd
     -system_server
 } { iorapd_data_file }:notdevfile_class_set *;

 # Only system_server and shell (for dumpsys) can interact with iorapd over binder
 neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
 neverallow iorapd {
   domain
   -healthd
   -servicemanager
   -system_server
   userdebug_or_eng(`-su')
 }:binder call;

 neverallow { domain -init } iorapd:process { transition dyntransition };
 neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
	# volume manager
	type iorapd, domain;
	type iorapd_exec, exec_type, file_type, system_file_type;
	type iorapd_tmpfs, file_type;

	r_dir_file(iorapd, rootfs)

	# Allow read/write /proc/sys/vm/drop/caches
	allow iorapd proc_drop_caches:file rw_file_perms;

	# Give iorapd a place where only iorapd can store files; everyone else is off limits
	allow iorapd iorapd_data_file:dir create_dir_perms;
	allow iorapd iorapd_data_file:file create_file_perms;

	# Allow iorapd to publish a binder service and make binder calls.
	binder_use(iorapd)
	add_service(iorapd, iorapd_service)

	# Allow iorapd to call into the system server so it can check permissions.
	binder_call(iorapd, system_server)
	allow iorapd permission_service:service_manager find;
	# IUserManager
	allow iorapd user_service:service_manager find;
	# IPackageManagerNative
	allow iorapd package_native_service:service_manager find;
	# Allow dumpstate (bugreport) to call into iorapd.
	allow iorapd dumpstate:fd use;
	allow iorapd dumpstate:fifo_file write;

	# talk to batteryservice
	binder_call(iorapd, healthd)

	# TODO: does each of the service_manager allow finds above need the binder_call?

	# iorapd temporarily changes its priority when running benchmarks
	allow iorapd self:global_capability_class_set sys_nice;

	# Allow to access Perfetto traced's privileged consumer socket to start/stop
	# tracing sessions and read trace data.
	unix_socket_connect(iorapd, traced_consumer, traced)

	# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
	allow iorapd system_file:file rx_file_perms;

	# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
	allow iorapd iorap_inode2filename:process signull;
	allow iorapd iorap_prefetcherd:process signull;

	# Allowing system_server to check for the existence and size of files under iorapd
	# dir without collecting any sensitive app data.
	# This is used to predict if iorapd is doing prefetching or not.
	allow system_server iorapd_data_file:dir { getattr open read search };
	allow system_server iorapd_data_file:file getattr;

	###
	### neverallow rules
	###

	neverallow {
	domain
	-iorapd
	} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };

	neverallow {
	domain
	-init
	-iorapd
	-system_server
	} iorapd_data_file:dir *;

	neverallow {
	domain
	-kernel
	-iorapd
	} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };

	neverallow {
	domain
	-init
	-kernel
	-vendor_init
	-iorapd
	-system_server
	} { iorapd_data_file }:notdevfile_class_set *;

	# Only system_server and shell (for dumpsys) can interact with iorapd over binder
	neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
	neverallow iorapd {
	domain
	-healthd
	-servicemanager
	-system_server
	userdebug_or_eng(`-su')
	}:binder call;

	neverallow { domain -init } iorapd:process { transition dyntransition };
	neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;