diff --git a/private/atrace.te b/private/atrace.te
index 37e9702a3d3f96cb1f5a8139cb253ae3719e6593..a60370d783a6ea25c27a64816cd925e36322f7c0 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@ allow atrace {
service_manager_type
-apex_service
-incident_service
+ -iorapd_service
-netd_service
-stats_service
-dumpstate_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f985d958c7014b8a70474851fdc3160efd92a134..54edb40b8d8e0a2bb73a1058abf615ebcd482f12 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -89,6 +89,11 @@
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
+ iorapd
+ iorapd_data_file
+ iorapd_exec
+ iorapd_service
+ iorapd_tmpfs
kmsg_debug_device
last_boot_reason_prop
llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index df3f95aed2ffb6e5e045ec67a269a26d9ba00f39..1df6a0e5219532355fd3b7c89f22339c4c67aa57 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -80,6 +80,11 @@
hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
+ iorapd
+ iorapd_data_file
+ iorapd_exec
+ iorapd_service
+ iorapd_tmpfs
last_boot_reason_prop
llkd
llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c1b126b20b7fa5f6d2e8effccf43d090ba8f6e92..e02421d90f26db86eb2e3249bb26284e3c652715 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -31,6 +31,11 @@
llkd_prop
llkd_tmpfs
looper_stats_service
+ iorapd
+ iorapd_exec
+ iorapd_data_file
+ iorapd_service
+ iorapd_tmpfs
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 264735d6d7ca9b1d45aba4408bb92f62e69eab3e..3b852136f02151e82ab2ad9a27171649c380aa23 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -273,6 +273,7 @@
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
+/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -451,6 +452,7 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
@@ -516,6 +518,9 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+# iorapd per-user data
+/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+
#############################
# efs files
#
diff --git a/private/iorapd.te b/private/iorapd.te
new file mode 100644
index 0000000000000000000000000000000000000000..602da03de701d2e4cfdd362d2da935c811b2db10
--- /dev/null
+++ b/private/iorapd.te
@@ -0,0 +1,3 @@
+typeattribute iorapd coredomain;
+
+init_daemon_domain(iorapd)
diff --git a/private/service_contexts b/private/service_contexts
index b68ab8e2651d4d7d99dd7d6d3a8a9bd0170a7169..1398b1936e874f7ff06fd4b03cfac9df455375d1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,7 @@ inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
+iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 245496f8f304cb785c2d5a60e36534cdfa16a0e7..40fec6acfdbad96383351d11657f120a9ddb58dc 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -73,6 +73,7 @@ allow system_app {
-apex_service
-dumpstate_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
@@ -82,6 +83,7 @@ allow system_app {
dontaudit system_app {
dumpstate_service
installd_service
+ iorapd_service
netd_service
virtual_touchpad_service
vold_service
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5663e80ea58ea9a97037f7b7d7037cfff729459d..79faafa7efd6f93ad2797e5cb02a26bc26a36969 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,6 +209,7 @@ allow dumpstate {
-dumpstate_service
-gatekeeper_service
-incident_service
+ -iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -218,6 +219,7 @@ dontaudit dumpstate {
dumpstate_service
gatekeeper_service
incident_service
+ iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
diff --git a/public/file.te b/public/file.te
index 8e31f2cda2af8925c05b30d0b60e52620b2ca682..48c2a693d7e855c2707b5bd8c624d590571ef88e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -296,6 +296,7 @@ type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
+type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 42d364f02fbf2ddead6f9a4a752b4055a0a07786..18d11b6c69b2d7e174d32dbfbe9766c64fe91bf3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -158,6 +158,7 @@ allow init {
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -173,6 +174,7 @@ allow init {
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -189,6 +191,7 @@ allow init {
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -204,6 +207,7 @@ allow init {
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
diff --git a/public/iorapd.te b/public/iorapd.te
new file mode 100644
index 0000000000000000000000000000000000000000..c056943f8e45ae6d27332edc8951462331de1281
--- /dev/null
+++ b/public/iorapd.te
@@ -0,0 +1,75 @@
+# volume manager
+type iorapd, domain;
+type iorapd_exec, exec_type, file_type, system_file_type;
+
+r_dir_file(iorapd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorapd proc_drop_caches:file rw_file_perms;
+
+# Give iorapd a place where only iorapd can store files; everyone else is off limits
+allow iorapd iorapd_data_file:dir create_dir_perms;
+allow iorapd iorapd_data_file:file create_file_perms;
+
+# Allow iorapd to publish a binder service and make binder calls.
+binder_use(iorapd)
+add_service(iorapd, iorapd_service)
+
+# Allow iorapd to call into the system server so it can check permissions.
+binder_call(iorapd, system_server)
+allow iorapd permission_service:service_manager find;
+# IUserManager
+allow iorapd user_service:service_manager find;
+# IPackageManagerNative
+allow iorapd package_native_service:service_manager find;
+
+# talk to batteryservice
+binder_call(iorapd, healthd)
+
+# TODO: does each of the service_manager allow finds above need the binder_call?
+
+# iorapd temporarily changes its priority when running benchmarks
+allow iorapd self:global_capability_class_set sys_nice;
+
+
+###
+### neverallow rules
+###
+
+neverallow {
+ domain
+ -iorapd
+} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -iorapd
+} iorapd_data_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -iorapd
+} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -iorapd
+} { iorapd_data_file }:notdevfile_class_set *;
+
+# Only system_server can interact with iorapd over binder
+neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+neverallow iorapd {
+ domain
+ -healthd
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow { domain -init } iorapd:process { transition dyntransition };
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/service.te b/public/service.te
index 7a60ad405689da1fe2a7f04f79502448a85ee941..dd80f92bc82591820aee02dc1d162008857625d1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@ type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 339b58632cb08f9b035f74602c733c4b40d8044a..cef1b0a355cc1e9dda03b6ffc1cc493818740af5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -108,6 +108,7 @@ allow shell {
-gatekeeper_service
-incident_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index c18984e2f8cb5634b3c116af5fa148ed05af61b2..aea13ef708bb42c650a80b4fd080eca42dd7540c 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@ allow traceur_app {
-gatekeeper_service
-incident_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/vold.te b/public/vold.te
index 8db19fcef291a4019242fab80b4c6e5588bfe212..cd2d4f74561daeeb3e61e5a8391dccece7effd28 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -272,6 +272,7 @@ neverallow vold {
-hal_bootctl
-healthd
-hwservicemanager
+ -iorapd_service
-servicemanager
-system_server
userdebug_or_eng(`-su')