xref: /aosp_15_r20/system/sepolicy/prebuilts/api/30.0/public/bootstat.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)
1*e4a36f41SAndroid Build Coastguard Worker# bootstat command
2*e4a36f41SAndroid Build Coastguard Workertype bootstat, domain;
3*e4a36f41SAndroid Build Coastguard Workertype bootstat_exec, system_file_type, exec_type, file_type;
4*e4a36f41SAndroid Build Coastguard Worker
5*e4a36f41SAndroid Build Coastguard Workerread_runtime_log_tags(bootstat)
6*e4a36f41SAndroid Build Coastguard Worker
7*e4a36f41SAndroid Build Coastguard Worker# Allow persistent storage in /data/misc/bootstat.
8*e4a36f41SAndroid Build Coastguard Workerallow bootstat bootstat_data_file:dir rw_dir_perms;
9*e4a36f41SAndroid Build Coastguard Workerallow bootstat bootstat_data_file:file create_file_perms;
10*e4a36f41SAndroid Build Coastguard Worker
11*e4a36f41SAndroid Build Coastguard Worker# Collect metrics on boot time created by init
12*e4a36f41SAndroid Build Coastguard Workerget_prop(bootstat, boottime_prop)
13*e4a36f41SAndroid Build Coastguard Worker
14*e4a36f41SAndroid Build Coastguard Worker# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
15*e4a36f41SAndroid Build Coastguard Workerset_prop(bootstat, bootloader_boot_reason_prop)
16*e4a36f41SAndroid Build Coastguard Workerset_prop(bootstat, system_boot_reason_prop)
17*e4a36f41SAndroid Build Coastguard Workerset_prop(bootstat, last_boot_reason_prop)
18*e4a36f41SAndroid Build Coastguard Workerallow bootstat metadata_file:dir search;
19*e4a36f41SAndroid Build Coastguard Workerallow bootstat metadata_bootstat_file:dir rw_dir_perms;
20*e4a36f41SAndroid Build Coastguard Workerallow bootstat metadata_bootstat_file:file create_file_perms;
21*e4a36f41SAndroid Build Coastguard Worker
22*e4a36f41SAndroid Build Coastguard Worker# ToDo: TBI move access for the following to a system health HAL
23*e4a36f41SAndroid Build Coastguard Worker
24*e4a36f41SAndroid Build Coastguard Worker# Allow access to /sys/fs/pstore/ and syslog
25*e4a36f41SAndroid Build Coastguard Workerallow bootstat pstorefs:dir search;
26*e4a36f41SAndroid Build Coastguard Workerallow bootstat pstorefs:file r_file_perms;
27*e4a36f41SAndroid Build Coastguard Workerallow bootstat kernel:system syslog_read;
28*e4a36f41SAndroid Build Coastguard Worker
29*e4a36f41SAndroid Build Coastguard Worker# Allow access to reading the logs to read aspects of system health
30*e4a36f41SAndroid Build Coastguard Workerread_logd(bootstat)
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Worker# Allow bootstat write to statsd.
33*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(bootstat, statsdw, statsd)
34*e4a36f41SAndroid Build Coastguard Worker
35*e4a36f41SAndroid Build Coastguard Worker# ToDo: end
36*e4a36f41SAndroid Build Coastguard Worker
37*e4a36f41SAndroid Build Coastguard Workerneverallow {
38*e4a36f41SAndroid Build Coastguard Worker  domain
39*e4a36f41SAndroid Build Coastguard Worker  -bootanim
40*e4a36f41SAndroid Build Coastguard Worker  -bootstat
41*e4a36f41SAndroid Build Coastguard Worker  -dumpstate
42*e4a36f41SAndroid Build Coastguard Worker  userdebug_or_eng(`-incidentd')
43*e4a36f41SAndroid Build Coastguard Worker  -init
44*e4a36f41SAndroid Build Coastguard Worker  -recovery
45*e4a36f41SAndroid Build Coastguard Worker  -shell
46*e4a36f41SAndroid Build Coastguard Worker  -system_server
47*e4a36f41SAndroid Build Coastguard Worker} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
48*e4a36f41SAndroid Build Coastguard Worker# ... and refine, as these components should not set the last boot reason
49*e4a36f41SAndroid Build Coastguard Workerneverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
50*e4a36f41SAndroid Build Coastguard Worker
51*e4a36f41SAndroid Build Coastguard Workerneverallow {
52*e4a36f41SAndroid Build Coastguard Worker  domain
53*e4a36f41SAndroid Build Coastguard Worker  -bootstat
54*e4a36f41SAndroid Build Coastguard Worker  -init
55*e4a36f41SAndroid Build Coastguard Worker  -system_server
56*e4a36f41SAndroid Build Coastguard Worker} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
57*e4a36f41SAndroid Build Coastguard Worker# ... and refine ... for a ro propertly no less ... keep this _tight_
58*e4a36f41SAndroid Build Coastguard Workerneverallow system_server bootloader_boot_reason_prop:property_service set;
59*e4a36f41SAndroid Build Coastguard Worker
60*e4a36f41SAndroid Build Coastguard Workerneverallow {
61*e4a36f41SAndroid Build Coastguard Worker  domain
62*e4a36f41SAndroid Build Coastguard Worker  -bootstat
63*e4a36f41SAndroid Build Coastguard Worker  -init
64*e4a36f41SAndroid Build Coastguard Worker} system_boot_reason_prop:property_service set;
65