1# Domain to run Car Service (com.android.car)
2app_domain(carservice_app);
3
4# Allow Car Service to be the client of Vehicle and Audio Control HALs
5hal_client_domain(carservice_app, hal_audiocontrol)
6hal_client_domain(carservice_app, hal_health)
7hal_client_domain(carservice_app, hal_vehicle)
8
9# Allow Car Service to be the client of remoteaccess HAL.
10hal_client_domain(carservice_app, hal_remoteaccess)
11
12# Allow Car Service to use EVS service
13hal_client_domain(carservice_app, hal_evs)
14
15# Allow Car Service to use IVN HAL.
16hal_client_domain(carservice_app, hal_ivn)
17
18# Allow to set boot.car_service_created property
19set_prop(carservice_app, system_prop)
20
21# Allow Car Service to register/access itself with ServiceManager
22add_service(carservice_app, carservice_service)
23
24# Allow Car Service to access certain system services.
25# Keep alphabetically sorted.
26allow carservice_app {
27    accessibility_service
28    activity_service
29    activity_task_service
30    audio_service
31    audioserver_service
32    autofill_service
33    bluetooth_manager_service
34    connectivity_service
35    content_service
36    device_policy_service
37    deviceidle_service
38    display_service
39    graphicsstats_service
40    input_method_service
41    input_service
42    location_service
43    lock_settings_service
44    media_session_service
45    media_communication_service
46    netstats_service  # for CarTelemetryService
47    network_management_service
48    overlay_service
49    power_service
50    procfsinspector_service
51    radio_service
52    registry_service
53    sensorservice_service
54    statsmanager_service
55    surfaceflinger_service
56    telecom_service
57    tethering_service
58    thermal_service
59    timedetector_service
60    timezonedetector_service
61    uimode_service
62    usagestats_service
63    voiceinteraction_service
64    wifi_service
65    wifiscanner_service
66}:service_manager find;
67
68# Read and write /data/data subdirectory.
69allow carservice_app system_app_data_file:dir create_dir_perms;
70allow carservice_app system_app_data_file:{ file lnk_file } create_file_perms;
71# R/W /data/system/car
72allow carservice_app system_car_data_file:dir create_dir_perms;
73allow carservice_app system_car_data_file:{ file lnk_file } create_file_perms;
74
75net_domain(carservice_app)
76
77allow carservice_app cgroup:file rw_file_perms;
78
79# For I/O stats tracker
80allow carservice_app proc_uid_io_stats:file { read open getattr };
81
82allow carservice_app procfsinspector:binder call;
83
84# Allow binder calls with statsd
85allow carservice_app statsd:binder call;
86
87# To access /sys/fs/<type>/<partition>/lifetime_write_kbytes
88allow carservice_app sysfs:dir { open read search };
89allow carservice_app sysfs_fs_ext4_features:dir { open read search};
90allow carservice_app sysfs_fs_f2fs:dir { open read search };
91
92# Allow reading and writing /sys/power/
93allow carservice_app sysfs_power:file rw_file_perms;
94
95# Allow reading system property sys.boot.reason
96allow carservice_app system_boot_reason_prop:file { getattr open read map };
97
98## CarBugreportManagerService rules
99set_prop(carservice_app, ctl_start_prop)
100set_prop(carservice_app, ctl_stop_prop)
101unix_socket_connect(carservice_app, dumpstate, dumpstate)
102# Allow setting "dumpstate.dry_run"
103userdebug_or_eng(`
104  set_prop(carservice_app, exported_dumpstate_prop)
105')
106
107# Allow reading vehicle-specific configuration
108get_prop(carservice_app, vehicle_hal_prop)
109
110# Allow writing carwatchdog configuration
111set_prop(carservice_app, carwatchdog_config_prop)
112
113# Allow CarWatchdogService to access car watchdog daemon
114carwatchdog_client_domain(carservice_app)
115
116# Allow CarPowerManagementService to access car power policy daemon
117allow carservice_app carpowerpolicyd_service:service_manager find;
118
119# Allow CarPowerManagementService to serve a callback from car power policy daemon
120carpowerpolicy_callback_domain(carservice_app)
121
122# For ActivityBlockingActiviy
123allow carservice_app gpu_device:chr_file rw_file_perms;
124allow carservice_app gpu_device:dir r_dir_perms;
125allow carservice_app gpu_service:service_manager find;
126binder_call(carservice_app, gpuservice)
127
128# Allow reading and writing /proc/loadavg/
129allow carservice_app proc_loadavg:file { open read getattr };
130
131# Allow reading /proc/meminfo/ for telemetry
132allow carservice_app proc_meminfo:file { open read getattr };
133
134# Allow finding game_service and content_capture_service
135allow carservice_app game_service:service_manager find;
136allow carservice_app content_capture_service:service_manager find;
137
138# Allow finding hint_service
139allow carservice_app hint_service:service_manager find;
140
141# Allow finding AIDL EVS service
142allow carservice_app evsmanagerd_service:service_manager find;
143
144# Allow reading car boot information
145get_prop(carservice_app, car_boot_prop);
146