# rfs_access - rfs_access daemon type rfs_access, domain, domain_deprecated; type rfs_access_exec, exec_type, file_type; init_daemon_domain(rfs_access) #The files created by rfs_access process in the /data folder will have type rfs_file type_transition rfs_access system_data_file:{ dir file } rfs_file; type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs"; #The files created by rfs_access process in the /persist folder will have type rfs_file type_transition rfs_access persist_file:{ dir file } rfs_file; type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs"; allow rfs_access { #To read the uio char device uio_device #To read the smem log char device smem_log_device }:chr_file rw_file_perms; #For QMI sockets and IPCR Sockets allow rfs_access self:socket create_socket_perms; #For Wakelocks wakelock_use(rfs_access) #To create the folders in /data allow rfs_access system_data_file:dir create_dir_perms; #To create the folders in /persist allow rfs_access persist_file:dir create_dir_perms; #For system folder entries r_dir_file(rfs_access, rfs_system_file) allow rfs_access rfs_system_file:lnk_file r_file_perms; #For data folder entries allow rfs_access rfs_file:dir create_dir_perms; allow rfs_access rfs_file:file create_file_perms; allow rfs_access rfs_shared_hlos_file:dir create_dir_perms; allow rfs_access rfs_shared_hlos_file:file create_file_perms; #For ramdump entries in /data/tombstones. allow rfs_access tombstone_data_file:dir create_dir_perms; allow rfs_access tombstone_data_file:file create_file_perms; #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes). r_dir_file(rfs_access, firmware_file) #For dropping permisions from root and wakelock allow rfs_access self:capability { setuid setgid setpcap net_bind_service net_raw }; # RFS UID and GIDs were changed and moved from old values to new ones OEM range. # The below permissions are required to recursively update the folder ownership # to the new values in the OEM range. allow rfs_access self:capability { dac_read_search chown dac_override }; #For access to the kmsg device allow rfs_access kmsg_device:chr_file w_file_perms; #Prevent other domains from accessing RFS data files. neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms; neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;