1type statsd, domain, mlstrustedsubject; 2 3type statsd_exec, system_file_type, exec_type, file_type; 4binder_use(statsd) 5 6# Allow statsd to scan through /proc/pid for all processes. 7r_dir_file(statsd, domain) 8 9# Allow executing files on system, such as running a shell or running: 10# /system/bin/toolbox 11# /system/bin/logcat 12# /system/bin/dumpsys 13allow statsd devpts:chr_file { getattr ioctl read write }; 14allow statsd shell_exec:file rx_file_perms; 15allow statsd system_file:file execute_no_trans; 16allow statsd toolbox_exec:file rx_file_perms; 17 18userdebug_or_eng(` 19 allow statsd su:fifo_file read; 20') 21 22# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system. 23allow statsd stats_data_file:dir create_dir_perms; 24allow statsd stats_data_file:file create_file_perms; 25 26# Allow statsd to make binder calls to any binder service. 27binder_call(statsd, appdomain) 28binder_call(statsd, incidentd) 29binder_call(statsd, system_server) 30 31# Allow statsd to interact with gpuservice 32allow statsd gpu_service:service_manager find; 33binder_call(statsd, gpuservice) 34 35# Allow statsd to interact with keystore to pull atoms 36allow statsd keystore_service:service_manager find; 37binder_call(statsd, keystore) 38 39# Allow statsd to interact with mediametrics 40allow statsd mediametrics_service:service_manager find; 41binder_call(statsd, mediametrics) 42 43# Allow logd access. 44read_logd(statsd) 45control_logd(statsd) 46 47# Grant statsd with permissions to register the services. 48allow statsd { 49 app_api_service 50 incident_service 51 system_api_service 52}:service_manager find; 53 54# Grant statsd to access health hal to access battery metrics. 55allow statsd hal_health_hwservice:hwservice_manager find; 56 57# Allow statsd to send dump info to dumpstate 58allow statsd dumpstate:fd use; 59allow statsd dumpstate:fifo_file { getattr write }; 60 61# Allow access to with hardware layer and process stats. 62allow statsd proc_uid_cputime_showstat:file { getattr open read }; 63hal_client_domain(statsd, hal_health) 64hal_client_domain(statsd, hal_power) 65hal_client_domain(statsd, hal_power_stats) 66hal_client_domain(statsd, hal_thermal) 67 68# Allow 'adb shell cmd' to upload configs and download output. 69allow statsd adbd:fd use; 70allow statsd adbd:unix_stream_socket { getattr read write }; 71allow statsd shell:fifo_file { getattr read write }; 72 73unix_socket_send(statsd, statsdw, statsd) 74 75### 76### neverallow rules 77### 78 79# Only statsd and the other root services in limited circumstances. 80# can get to the files in /data/misc/stats-data, /data/misc/stats-service. 81# Other services are prohibitted from accessing the file. 82neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *; 83 84# Limited access to the directory itself. 85neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *; 86