sepolicy/hiccup.te - vendor/fairphone/hiccup - Gitiles

 type hiccup_app, domain;
 app_domain(hiccup_app)
 net_domain(hiccup_app)

 type hiccupd, coredomain, domain;
 type hiccupd_exec, exec_type, system_file_type, file_type;

 # Allow for transition from init domain to hiccupd
 init_daemon_domain(hiccupd)

 # Allow hiccupd to use Binder IPC
 binder_use(hiccupd)

 # Mark hiccupd as a Binder service domain
 binder_service(hiccupd)

 # Allow apps to interact with hiccupd
 binder_call(hiccupd, hiccup_app)
 binder_call(hiccup_app, hiccupd)
 binder_call(hiccupd, system_app)
 binder_call(system_app, hiccupd)

 # Allow hiccup_app to find services
 allow hiccup_app {
     app_api_service
     hiccupd_service
     surfaceflinger_service
 }:service_manager find;

 # Allow hiccup_app to read persist.fp.hiccup.* properties
 get_prop(hiccup_app, hiccup_prop)

 # Allow hiccup_app to read files in /persist
 allow hiccup_app persist_file:dir r_dir_perms;
 allow hiccup_app persist_file:file r_file_perms;

 # Allow hiccup_app to detect if the last shutdown was clean
 get_prop(hiccup_app, shutdown_reason_prop)

 # Allow access to Permission Controller in System Server
 binder_call(hiccupd, system_server)

 # Allow hiccupd to be registered with service manager
 allow hiccupd hiccupd_service:service_manager add;

 # Allow hiccupd to execute commands
 allow hiccupd shell_exec:file rx_file_perms;
 allow hiccupd toolbox_exec:file rx_file_perms;
 allow hiccupd system_file:file rx_file_perms;

 # Allow hiccupd to set properties
 set_prop(hiccupd, hiccup_prop)

 #allow reading and writing log files
 allow hiccupd hiccup_file:file create_file_perms;
 allow hiccupd hiccup_file:dir rw_dir_perms;
 allow hiccupd cache_file:dir create_dir_perms;
 allow hiccupd cache_file:file create_file_perms;
 allow hiccup_app cache_file:file r_file_perms;

 # Allow reading of files in /proc
 #  - /proc/sys/kernel/boot_reason and
 #  - /proc/sys/qpnp-power-on/pon_reason
 #  - /proc/sys/qpnp-power-on/poff_reason
 allow hiccupd proc:file r_file_perms;

 # Allow dumping of current kernel logs with dmesg
 allow hiccupd kernel:system syslog_read;
 allow hiccupd kmsg_device:chr_file { open read };
	type hiccup_app, domain;
	app_domain(hiccup_app)
	net_domain(hiccup_app)

	type hiccupd, coredomain, domain;
	type hiccupd_exec, exec_type, system_file_type, file_type;

	# Allow for transition from init domain to hiccupd
	init_daemon_domain(hiccupd)

	# Allow hiccupd to use Binder IPC
	binder_use(hiccupd)

	# Mark hiccupd as a Binder service domain
	binder_service(hiccupd)

	# Allow apps to interact with hiccupd
	binder_call(hiccupd, hiccup_app)
	binder_call(hiccup_app, hiccupd)
	binder_call(hiccupd, system_app)
	binder_call(system_app, hiccupd)

	# Allow hiccup_app to find services
	allow hiccup_app {
	app_api_service
	hiccupd_service
	surfaceflinger_service
	}:service_manager find;

	# Allow hiccup_app to read persist.fp.hiccup.* properties
	get_prop(hiccup_app, hiccup_prop)

	# Allow hiccup_app to read files in /persist
	allow hiccup_app persist_file:dir r_dir_perms;
	allow hiccup_app persist_file:file r_file_perms;

	# Allow hiccup_app to detect if the last shutdown was clean
	get_prop(hiccup_app, shutdown_reason_prop)

	# Allow access to Permission Controller in System Server
	binder_call(hiccupd, system_server)

	# Allow hiccupd to be registered with service manager
	allow hiccupd hiccupd_service:service_manager add;

	# Allow hiccupd to execute commands
	allow hiccupd shell_exec:file rx_file_perms;
	allow hiccupd toolbox_exec:file rx_file_perms;
	allow hiccupd system_file:file rx_file_perms;

	# Allow hiccupd to set properties
	set_prop(hiccupd, hiccup_prop)

	#allow reading and writing log files
	allow hiccupd hiccup_file:file create_file_perms;
	allow hiccupd hiccup_file:dir rw_dir_perms;
	allow hiccupd cache_file:dir create_dir_perms;
	allow hiccupd cache_file:file create_file_perms;
	allow hiccup_app cache_file:file r_file_perms;

	# Allow reading of files in /proc
	# - /proc/sys/kernel/boot_reason and
	# - /proc/sys/qpnp-power-on/pon_reason
	# - /proc/sys/qpnp-power-on/poff_reason
	allow hiccupd proc:file r_file_perms;

	# Allow dumping of current kernel logs with dmesg
	allow hiccupd kernel:system syslog_read;
	allow hiccupd kmsg_device:chr_file { open read };