1 files changed, 46 insertions, 0 deletions

diff --git a/sepolicy/dashd.te b/sepolicy/dashd.te
new file mode 100644
index 0000000..41525dd
--- /dev/null
+++ b/sepolicy/dashd.te
@@ -0,0 +1,46 @@
+# dash daemon
+
+# dashd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type dashd, domain;
+
+# Write to /dev/kmsg
+allow dashd kmsg_device:chr_file rw_file_perms;
+
+allow dashd self:capability { net_admin sys_tty_config };
+wakelock_use(dashd)
+allow dashd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(dashd)
+binder_service(dashd)
+binder_call(dashd, system_server)
+
+# Write to state file.
+allow dashd sysfs:file write;
+
+###
+### dashd: charger mode
+###
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow dashd pstorefs:dir r_dir_perms;
+allow dashd pstorefs:file r_file_perms;
+
+allow dashd graphics_device:dir r_dir_perms;
+allow dashd graphics_device:chr_file rw_file_perms;
+allow dashd input_device:dir r_dir_perms;
+allow dashd input_device:chr_file  rw_file_perms;
+allow dashd tty_device:chr_file rw_file_perms;
+allow dashd ashmem_device:chr_file execute;
+allow dashd self:process execmem;
+allow dashd proc_sysrq:file rw_file_perms;
+allow dashd self:capability { sys_boot dac_override};
+allow dashd device:dir { open read write } ;
+#allow dashd device:chr_file { write read };
+
+allow dashd proc_stat:file r_file_perms;
+allow dashd sysfs_batteryinfo:file r_file_perms;
+
+r_dir_file(dashd, sysfs_usb_supply);
+r_dir_file(dashd, sysfs_battery_supply);