car_product/sepolicy/private/carservice_app.te

# Domain to run Car Service (com.android.car)
app_domain(carservice_app);

# Allow Car Service to be the client of Vehicle and Audio Control HALs
hal_client_domain(carservice_app, hal_audiocontrol)
hal_client_domain(carservice_app, hal_health)
hal_client_domain(carservice_app, hal_vehicle)

# Allow Car Service to use EVS service
hal_client_domain(carservice_app, hal_evs)

# Allow to set boot.car_service_created property
set_prop(carservice_app, system_prop)

# Allow Car Service to register/access itself with ServiceManager
add_service(carservice_app, carservice_service)

# Allow Car Service to access certain system services.
# Keep alphabetically sorted.
allow carservice_app {
    accessibility_service
    activity_service
    activity_task_service
    audio_service
    audioserver_service
    autofill_service
    bluetooth_manager_service
    connectivity_service
    content_service
    deviceidle_service
    display_service
    graphicsstats_service
    input_method_service
    input_service
    location_service
    lock_settings_service
    media_session_service
    network_management_service
    power_service
    procfsinspector_service
    sensorservice_service
    statsmanager_service
    surfaceflinger_service
    telecom_service
    tethering_service
    thermal_service
    uimode_service
    voiceinteraction_service
    wifi_service
    wifiscanner_service
}:service_manager find;

# Read and write /data/data subdirectory.
allow carservice_app system_app_data_file:dir create_dir_perms;
allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
# R/W /data/system/car
allow carservice_app system_car_data_file:dir create_dir_perms;
allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;

net_domain(carservice_app)

allow carservice_app cgroup:file rw_file_perms;

# For I/O stats tracker
allow carservice_app proc_uid_io_stats:file { read open getattr };

allow carservice_app procfsinspector:binder call;

# Allow binder calls with statsd
allow carservice_app statsd:binder call;

# To access /sys/fs/<type>/<partition>/lifetime_write_kbytes
allow carservice_app sysfs:dir { open read search };
allow carservice_app sysfs_fs_ext4_features:dir { open read search};
allow carservice_app sysfs_fs_f2fs:dir { open read search };

# Allow reading and writing /sys/power/
allow carservice_app sysfs_power:file rw_file_perms;

# Allow reading system property sys.boot.reason
allow carservice_app system_boot_reason_prop:file { getattr open read map };

## CarBugreportManagerService rules
set_prop(carservice_app, ctl_start_prop)
set_prop(carservice_app, ctl_stop_prop)
unix_socket_connect(carservice_app, dumpstate, dumpstate)
# Allow setting "dumpstate.dry_run"
userdebug_or_eng(`
  set_prop(carservice_app, exported_dumpstate_prop)
')

# Allow reading vehicle-specific configuration
get_prop(carservice_app, vehicle_hal_prop)

# Allow CarWatchdogService to access car watchdog daemon
carwatchdog_client_domain(carservice_app)

# Allow CarPowerManagementService to access car power policy daemon
allow carservice_app carpowerpolicyd_service:service_manager find;

# For ActivityBlockingActiviy
allow carservice_app gpu_device:chr_file rw_file_perms;
allow carservice_app gpu_device:dir r_dir_perms;
allow carservice_app gpu_service:service_manager find;
binder_call(carservice_app, gpuservice)

# Allow reading and writing /proc/loadavg/
allow carservice_app proc_loadavg:file { open read getattr };