sepolicy/policy/chromeos/metrics/cros_metrics_daemon.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_metrics_daemon, chromeos_domain, domain, mlstrustedsubject;

 # without minijail
 domain_auto_trans(cros_init_scripts, cros_metrics_daemon_exec, cros_metrics_daemon);
 # with minijail
 from_minijail_static(cros_metrics_daemon, cros_metrics_daemon_exec);

 allow cros_metrics_daemon { cros_init_scripts minijail }:fd use;

 log_writer(cros_metrics_daemon);
 uma_writer(cros_metrics_daemon);
 cros_dbus_client(cros_metrics_daemon);

 rw_dir_file(cros_metrics_daemon, cros_metrics_file);
 allow cros_metrics_daemon cros_metrics_file:file create_file_perms;
 allow cros_metrics_daemon sysfs:file { open read getattr };
 allow cros_metrics_daemon sysfs:dir { open read };
 allow cros_metrics_daemon sysfs_dm:dir { open read search };
 allow cros_metrics_daemon sysfs_dm:file { open read };
 allow cros_metrics_daemon sysfs_zram:dir search;
 allow cros_metrics_daemon sysfs_zram:file { open read getattr };
 allow cros_metrics_daemon sysfs_devices_system_cpu:file { open read getattr };

 allow cros_metrics_daemon {
 proc_buddyinfo
 proc_cmdline
 proc_diskstats
 proc_filesystems
 proc_interrupts
 proc_iomem
 proc_kmsg
 proc_loadavg
 proc_meminfo
 proc_misc
 proc_modules
 proc_pagetypeinfo
 proc_stat
 proc_swaps
 proc_sysrq
 proc_timer
 proc_uptime
 proc_version
 proc_vmallocinfo
 proc_vmstat
 proc_zoneinfo
 }:file { open read getattr };

 filetrans_pattern({ cros_metrics_daemon cros_init_scripts }, cros_var_log, cros_var_log_vmlog, dir, "vmlog");
 allow cros_metrics_daemon cros_var_log_vmlog:dir create_dir_perms;
 allow cros_metrics_daemon cros_var_log_vmlog:{file lnk_file} create_file_perms;

 allow cros_metrics_daemon device:blk_file getattr;

 rw_dir_file(cros_metrics_daemon, cros_run_metrics_external);
 allow cros_metrics_daemon cros_run_metrics:dir { rw_dir_perms };
 allow cros_metrics_daemon cros_run_metrics_external_crash:dir { rw_dir_perms remove_name };
 allow cros_metrics_daemon cros_run_metrics_external_crash:file { rw_file_perms unlink };

 has_arc(`
 allow cros_metrics_daemon gpu_device:dir search;
 ');

 allow cros_metrics_daemon domain:file { getattr open read };
 allow cros_metrics_daemon domain:lnk_file { read getattr };
 allow cros_metrics_daemon domain:dir { search getattr };

 # TODO(crbug.com/954670)
 # Temporary workaround before a fixed signer have /etc/lsb-release correctly labelled.
 r_dir_file(cros_metrics_daemon, unlabeled);

 r_dir_file(cros_metrics_daemon, debugfs_gpu);
	type cros_metrics_daemon, chromeos_domain, domain, mlstrustedsubject;

	# without minijail
	domain_auto_trans(cros_init_scripts, cros_metrics_daemon_exec, cros_metrics_daemon);
	# with minijail
	from_minijail_static(cros_metrics_daemon, cros_metrics_daemon_exec);

	allow cros_metrics_daemon { cros_init_scripts minijail }:fd use;

	log_writer(cros_metrics_daemon);
	uma_writer(cros_metrics_daemon);
	cros_dbus_client(cros_metrics_daemon);

	rw_dir_file(cros_metrics_daemon, cros_metrics_file);
	allow cros_metrics_daemon cros_metrics_file:file create_file_perms;
	allow cros_metrics_daemon sysfs:file { open read getattr };
	allow cros_metrics_daemon sysfs:dir { open read };
	allow cros_metrics_daemon sysfs_dm:dir { open read search };
	allow cros_metrics_daemon sysfs_dm:file { open read };
	allow cros_metrics_daemon sysfs_zram:dir search;
	allow cros_metrics_daemon sysfs_zram:file { open read getattr };
	allow cros_metrics_daemon sysfs_devices_system_cpu:file { open read getattr };

	allow cros_metrics_daemon {
	proc_buddyinfo
	proc_cmdline
	proc_diskstats
	proc_filesystems
	proc_interrupts
	proc_iomem
	proc_kmsg
	proc_loadavg
	proc_meminfo
	proc_misc
	proc_modules
	proc_pagetypeinfo
	proc_stat
	proc_swaps
	proc_sysrq
	proc_timer
	proc_uptime
	proc_version
	proc_vmallocinfo
	proc_vmstat
	proc_zoneinfo
	}:file { open read getattr };

	filetrans_pattern({ cros_metrics_daemon cros_init_scripts }, cros_var_log, cros_var_log_vmlog, dir, "vmlog");
	allow cros_metrics_daemon cros_var_log_vmlog:dir create_dir_perms;
	allow cros_metrics_daemon cros_var_log_vmlog:{file lnk_file} create_file_perms;

	allow cros_metrics_daemon device:blk_file getattr;

	rw_dir_file(cros_metrics_daemon, cros_run_metrics_external);
	allow cros_metrics_daemon cros_run_metrics:dir { rw_dir_perms };
	allow cros_metrics_daemon cros_run_metrics_external_crash:dir { rw_dir_perms remove_name };
	allow cros_metrics_daemon cros_run_metrics_external_crash:file { rw_file_perms unlink };

	has_arc(`
	allow cros_metrics_daemon gpu_device:dir search;
	');

	allow cros_metrics_daemon domain:file { getattr open read };
	allow cros_metrics_daemon domain:lnk_file { read getattr };
	allow cros_metrics_daemon domain:dir { search getattr };

	# TODO(crbug.com/954670)
	# Temporary workaround before a fixed signer have /etc/lsb-release correctly labelled.
	r_dir_file(cros_metrics_daemon, unlabeled);

	r_dir_file(cros_metrics_daemon, debugfs_gpu);