1*e4a36f41SAndroid Build Coastguard Workertype lpdumpd, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype lpdumpd_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(lpdumpd) 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# Allow lpdumpd to register itself as a service. 7*e4a36f41SAndroid Build Coastguard Workerbinder_use(lpdumpd) 8*e4a36f41SAndroid Build Coastguard Workeradd_service(lpdumpd, lpdump_service) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker# Allow lpdumpd to find the super partition block device. 11*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd block_device:dir r_dir_perms; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Allow lpdumpd to read super partition metadata. 14*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd super_block_device_type:blk_file r_file_perms; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Allow lpdumpd to read fstab. 17*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; 18*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd sysfs_dt_firmware_android:file r_file_perms; 19*e4a36f41SAndroid Build Coastguard Workerread_fstab(lpdumpd) 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# Allow to get A/B slot suffix from device tree or kernel cmdline. 22*e4a36f41SAndroid Build Coastguard Workerr_dir_file(lpdumpd, sysfs_dt_firmware_android); 23*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd proc_cmdline:file r_file_perms; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# Allow reading Virtual A/B status information. 26*e4a36f41SAndroid Build Coastguard Workerget_prop(lpdumpd, virtual_ab_prop) 27*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd metadata_file:dir search; 28*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd ota_metadata_file:dir { r_dir_perms lock }; 29*e4a36f41SAndroid Build Coastguard Workerallow lpdumpd ota_metadata_file:file r_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# Disallow other domains to get lpdump_service and call lpdumpd. 34*e4a36f41SAndroid Build Coastguard Workerneverallow { 35*e4a36f41SAndroid Build Coastguard Worker domain 36*e4a36f41SAndroid Build Coastguard Worker -dumpstate 37*e4a36f41SAndroid Build Coastguard Worker -lpdumpd 38*e4a36f41SAndroid Build Coastguard Worker -shell 39*e4a36f41SAndroid Build Coastguard Worker} lpdump_service:service_manager find; 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Workerneverallow { 42*e4a36f41SAndroid Build Coastguard Worker domain 43*e4a36f41SAndroid Build Coastguard Worker -dumpstate 44*e4a36f41SAndroid Build Coastguard Worker -lpdumpd 45*e4a36f41SAndroid Build Coastguard Worker -shell 46*e4a36f41SAndroid Build Coastguard Worker -servicemanager 47*e4a36f41SAndroid Build Coastguard Worker} lpdumpd:binder call; 48