1# volume manager 2type iorapd, domain; 3type iorapd_exec, exec_type, file_type, system_file_type; 4type iorapd_tmpfs, file_type; 5 6r_dir_file(iorapd, rootfs) 7 8# Allow read/write /proc/sys/vm/drop/caches 9allow iorapd proc_drop_caches:file rw_file_perms; 10 11# Give iorapd a place where only iorapd can store files; everyone else is off limits 12allow iorapd iorapd_data_file:dir create_dir_perms; 13allow iorapd iorapd_data_file:file create_file_perms; 14 15# Allow iorapd to publish a binder service and make binder calls. 16binder_use(iorapd) 17add_service(iorapd, iorapd_service) 18 19# Allow iorapd to call into the system server so it can check permissions. 20binder_call(iorapd, system_server) 21allow iorapd permission_service:service_manager find; 22# IUserManager 23allow iorapd user_service:service_manager find; 24# IPackageManagerNative 25allow iorapd package_native_service:service_manager find; 26# Allow dumpstate (bugreport) to call into iorapd. 27allow iorapd dumpstate:fd use; 28allow iorapd dumpstate:fifo_file write; 29 30# TODO: does each of the service_manager allow finds above need the binder_call? 31 32# iorapd temporarily changes its priority when running benchmarks 33allow iorapd self:global_capability_class_set sys_nice; 34 35# Allow to access Perfetto traced's privileged consumer socket to start/stop 36# tracing sessions and read trace data. 37unix_socket_connect(iorapd, traced_consumer, traced) 38 39# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time. 40allow iorapd system_file:file rx_file_perms; 41 42# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd. 43allow iorapd iorap_inode2filename:process signull; 44allow iorapd iorap_prefetcherd:process signull; 45 46# Allowing system_server to check for the existence and size of files under iorapd 47# dir without collecting any sensitive app data. 48# This is used to predict if iorapd is doing prefetching or not. 49allow system_server iorapd_data_file:dir { getattr open read search }; 50allow system_server iorapd_data_file:file getattr; 51 52### 53### neverallow rules 54### 55 56neverallow { 57 domain 58 -iorapd 59} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 60 61neverallow { 62 domain 63 -init 64 -iorapd 65 -system_server 66} iorapd_data_file:dir *; 67 68neverallow { 69 domain 70 -kernel 71 -iorapd 72} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr }; 73 74neverallow { 75 domain 76 -init 77 -kernel 78 -vendor_init 79 -iorapd 80 -system_server 81} { iorapd_data_file }:notdevfile_class_set *; 82 83# Only system_server and shell (for dumpsys) can interact with iorapd over binder 84neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find; 85neverallow iorapd { 86 domain 87 -servicemanager 88 -system_server 89 userdebug_or_eng(`-su') 90}:binder call; 91 92neverallow { domain -init } iorapd:process { transition dyntransition }; 93neverallow iorapd domain:{ udp_socket rawip_socket } *; 94neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *; 95