1type statsd, domain, mlstrustedsubject; 2 3type statsd_exec, system_file_type, exec_type, file_type; 4binder_use(statsd) 5 6# Allow statsd to scan through /proc/pid for all processes. 7r_dir_file(statsd, domain) 8 9# Allow executing files on system, such as running a shell or running: 10# /system/bin/toolbox 11# /system/bin/logcat 12# /system/bin/dumpsys 13allow statsd devpts:chr_file { getattr ioctl read write }; 14allow statsd shell_exec:file rx_file_perms; 15allow statsd system_file:file execute_no_trans; 16allow statsd toolbox_exec:file rx_file_perms; 17 18userdebug_or_eng(` 19 allow statsd su:fifo_file read; 20') 21 22# Create, read, and write into 23# /data/misc/stats-active-metric 24# /data/misc/stats-data 25# /data/misc/stats-metadata 26# /data/misc/stats-service 27# /data/misc/train-info 28allow statsd stats_data_file:dir create_dir_perms; 29allow statsd stats_data_file:file create_file_perms; 30allow statsd stats_config_data_file:dir create_dir_perms; 31allow statsd stats_config_data_file:file create_file_perms; 32 33# Allow statsd to make binder calls to any binder service. 34binder_call(statsd, appdomain) 35binder_call(statsd, incidentd) 36binder_call(statsd, system_server) 37binder_call(statsd, traced_probes) 38 39# Allow statsd to interact with gpuservice 40allow statsd gpu_service:service_manager find; 41binder_call(statsd, gpuservice) 42 43# Allow statsd to interact with keystore to pull atoms 44allow statsd keystore_service:service_manager find; 45binder_call(statsd, keystore) 46 47# Allow statsd to interact with mediametrics 48allow statsd mediametrics_service:service_manager find; 49binder_call(statsd, mediametrics) 50 51# Allow statsd to interact with mediametrics 52allow statsd mediaserver_service:service_manager find; 53binder_call(statsd, mediaserver) 54 55# Allow logd access. 56read_logd(statsd) 57control_logd(statsd) 58 59# Grant statsd with permissions to register the services. 60allow statsd { 61 app_api_service 62 incident_service 63 system_api_service 64}:service_manager find; 65 66# Grant statsd to access health hal to access battery metrics. 67allow statsd hal_health_hwservice:hwservice_manager find; 68 69# Allow statsd to send dump info to dumpstate 70allow statsd dumpstate:fd use; 71allow statsd dumpstate:fifo_file { getattr write }; 72 73# Allow access to with hardware layer and process stats. 74allow statsd proc_uid_cputime_showstat:file { getattr open read }; 75hal_client_domain(statsd, hal_health) 76hal_client_domain(statsd, hal_power) 77hal_client_domain(statsd, hal_power_stats) 78hal_client_domain(statsd, hal_thermal) 79 80# Allow 'adb shell cmd' to upload configs and download output. 81allow statsd adbd:fd use; 82allow statsd adbd:unix_stream_socket { getattr read write }; 83allow statsd shell:fifo_file { getattr read write }; 84 85unix_socket_send(statsd, statsdw, statsd) 86 87### 88### neverallow rules 89### 90 91# Only statsd and the other root services in limited circumstances. 92# can get to the files in /data/misc/stats-data, /data/misc/stats-service. 93# Other services are prohibitted from accessing the file. 94neverallow { domain -statsd -init -vold } stats_data_file:file *; 95neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *; 96 97 98# Limited access to the directory itself. 99neverallow { domain -statsd -init -vold } stats_data_file:dir *; 100neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *; 101