private/bootanim.te - platform/system/sepolicy - Git at Google

 typeattribute bootanim coredomain;

 init_daemon_domain(bootanim)

 # b/68864350
 dontaudit bootanim unlabeled:dir search;

 # Bootanim should not be reading default vendor-defined properties.
 dontaudit bootanim vendor_default_prop:file read;

 # Read ro.boot.bootreason b/30654343
 get_prop(bootanim, bootloader_boot_reason_prop)

 get_prop(bootanim, bootanim_config_prop)

 # Allow updating boot animation status.
 set_prop(bootanim, bootanim_system_prop)

 # Allow accessing /data/misc/bootanim
 r_dir_file(bootanim, bootanim_data_file)

 # Allow accessing vendor apex for EGL/GLES
 allow bootanim vendor_apex_metadata_file:dir r_dir_perms;

 hal_client_domain(bootanim, hal_configstore)
 hal_client_domain(bootanim, hal_graphics_allocator)
 hal_client_domain(bootanim, hal_graphics_composer)

 binder_use(bootanim)
 binder_call(bootanim, surfaceflinger)
 binder_call(bootanim, audioserver)

 hwbinder_use(bootanim)

 allow bootanim gpu_device:chr_file rw_file_perms;
 allow bootanim gpu_device:dir r_dir_perms;
 allow bootanim sysfs_gpu:file r_file_perms;

 # /oem access
 allow bootanim oemfs:dir r_dir_perms;
 # boot animations on oem are stored with specific label
 allow bootanim bootanim_oem_file:file r_file_perms;

 allow bootanim audio_device:dir r_dir_perms;
 allow bootanim audio_device:chr_file rw_file_perms;

 allow bootanim audioserver_service:service_manager find;
 allow bootanim surfaceflinger_service:service_manager find;
 allow bootanim surfaceflinger:unix_stream_socket { read write };

 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;

 # Allow access to DMA-BUF system heap
 allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;

 allow bootanim hal_graphics_allocator:fd use;

 # Fences
 allow bootanim hal_graphics_composer:fd use;

 # Read access to pseudo filesystems.
 allow bootanim proc_meminfo:file r_file_perms;

 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
	typeattribute bootanim coredomain;

	init_daemon_domain(bootanim)

	# b/68864350
	dontaudit bootanim unlabeled:dir search;

	# Bootanim should not be reading default vendor-defined properties.
	dontaudit bootanim vendor_default_prop:file read;

	# Read ro.boot.bootreason b/30654343
	get_prop(bootanim, bootloader_boot_reason_prop)

	get_prop(bootanim, bootanim_config_prop)

	# Allow updating boot animation status.
	set_prop(bootanim, bootanim_system_prop)

	# Allow accessing /data/misc/bootanim
	r_dir_file(bootanim, bootanim_data_file)

	# Allow accessing vendor apex for EGL/GLES
	allow bootanim vendor_apex_metadata_file:dir r_dir_perms;

	hal_client_domain(bootanim, hal_configstore)
	hal_client_domain(bootanim, hal_graphics_allocator)
	hal_client_domain(bootanim, hal_graphics_composer)

	binder_use(bootanim)
	binder_call(bootanim, surfaceflinger)
	binder_call(bootanim, audioserver)

	hwbinder_use(bootanim)

	allow bootanim gpu_device:chr_file rw_file_perms;
	allow bootanim gpu_device:dir r_dir_perms;
	allow bootanim sysfs_gpu:file r_file_perms;

	# /oem access
	allow bootanim oemfs:dir r_dir_perms;
	# boot animations on oem are stored with specific label
	allow bootanim bootanim_oem_file:file r_file_perms;

	allow bootanim audio_device:dir r_dir_perms;
	allow bootanim audio_device:chr_file rw_file_perms;

	allow bootanim audioserver_service:service_manager find;
	allow bootanim surfaceflinger_service:service_manager find;
	allow bootanim surfaceflinger:unix_stream_socket { read write };

	# Allow access to ion memory allocation device
	allow bootanim ion_device:chr_file rw_file_perms;

	# Allow access to DMA-BUF system heap
	allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;

	allow bootanim hal_graphics_allocator:fd use;

	# Fences
	allow bootanim hal_graphics_composer:fd use;

	# Read access to pseudo filesystems.
	allow bootanim proc_meminfo:file r_file_perms;

	# System file accesses.
	allow bootanim system_file:dir r_dir_perms;