| # Domain to run Car Service (com.android.car) |
| app_domain(carservice_app); |
| |
| # Allow Car Service to be the client of Vehicle and Audio Control HALs |
| hal_client_domain(carservice_app, hal_audiocontrol) |
| hal_client_domain(carservice_app, hal_health) |
| hal_client_domain(carservice_app, hal_vehicle) |
| |
| # Allow to set boot.car_service_created property |
| set_prop(carservice_app, system_prop) |
| |
| # Allow Car Service to register/access itself with ServiceManager |
| add_service(carservice_app, carservice_service) |
| |
| # Allow Car Service to register its stats service with ServiceManager |
| add_service(carservice_app, carstats_service) |
| |
| allow carservice_app wifi_service:service_manager find; |
| |
| # Allow Car Service to access certain system services. |
| # Keep alphabetically sorted. |
| allow carservice_app { |
| accessibility_service |
| activity_service |
| activity_task_service |
| audio_service |
| audioserver_service |
| autofill_service |
| bluetooth_manager_service |
| connectivity_service |
| content_service |
| deviceidle_service |
| display_service |
| graphicsstats_service |
| input_method_service |
| input_service |
| location_service |
| media_session_service |
| network_management_service |
| power_service |
| procfsinspector_service |
| sensorservice_service |
| surfaceflinger_service |
| telecom_service |
| uimode_service |
| voiceinteraction_service |
| }:service_manager find; |
| |
| # Read and write /data/data subdirectory. |
| allow carservice_app system_app_data_file:dir create_dir_perms; |
| allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms; |
| # R/W /data/system/car |
| allow carservice_app system_car_data_file:dir create_dir_perms; |
| allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms; |
| |
| net_domain(carservice_app) |
| |
| allow carservice_app cgroup:file rw_file_perms; |
| |
| # For I/O stats tracker |
| allow carservice_app proc_uid_io_stats:file { read open getattr }; |
| |
| allow carservice_app procfsinspector:binder call; |
| |
| # To access /sys/fs/<type>/<partition>/lifetime_write_kbytes |
| allow carservice_app sysfs_fs_lifetime_write:file { getattr open read }; |
| |
| set_prop(carservice_app, ctl_start_prop) |
| unix_socket_connect(carservice_app, dumpstate, dumpstate) |