From 239c85dd0d33ab9d3144dc12d7546ad72aca8d8c Mon Sep 17 00:00:00 2001 From: Yi Kong Date: Thu, 18 Jun 2020 12:43:23 +0800 Subject: [PATCH] Add sepolicy for profcollectd This does not yet list all the required capabilities for profcollectd, but it at least allows the service to start under permissive mode. Bug: 79161490 Test: start profcollectd Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030 --- private/compat/30.0/30.0.ignore.cil | 6 +++++- private/file.te | 3 +++ private/file_contexts | 2 ++ private/profcollectd.te | 15 +++++++++++++++ private/service.te | 1 + private/service_contexts | 1 + private/shell.te | 5 +++++ private/system_server.te | 3 +++ 8 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 private/profcollectd.te diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 2c4dce143..44a6799ce 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -8,5 +8,9 @@ apex_info_file debugfs_kprobes gnss_device - mediatranscoding_tmpfs)) + mediatranscoding_tmpfs + profcollectd + profcollectd_data_file + profcollectd_exec + profcollectd_service)) diff --git a/private/file.te b/private/file.te index 44920029c..5225cdced 100644 --- a/private/file.te +++ b/private/file.te @@ -26,3 +26,6 @@ type ota_image_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/emergencynumberdb type emergency_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/profcollectd +type profcollectd_data_file, file_type, data_file_type, core_data_file_type; diff --git a/private/file_contexts b/private/file_contexts index 75bca425c..c477c672d 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -310,6 +310,7 @@ /system/bin/idmap u:object_r:idmap_exec:s0 /system/bin/idmap2(d)? u:object_r:idmap_exec:s0 /system/bin/update_engine u:object_r:update_engine_exec:s0 +/system/bin/profcollectd u:object_r:profcollectd_exec:s0 /system/bin/storaged u:object_r:storaged_exec:s0 /system/bin/wpantund u:object_r:wpantund_exec:s0 /system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 @@ -550,6 +551,7 @@ /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0 /data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0 /data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0 +/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0 /data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0 /data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 /data/misc/sms(/.*)? u:object_r:radio_data_file:s0 diff --git a/private/profcollectd.te b/private/profcollectd.te new file mode 100644 index 000000000..6b861afa1 --- /dev/null +++ b/private/profcollectd.te @@ -0,0 +1,15 @@ +# profcollectd - hardware profile collection daemon +type profcollectd, domain, coredomain; +type profcollectd_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(profcollectd) + + # profcollectd opens a file for writing in /data/misc/profcollectd + allow profcollectd profcollectd_data_file:file create_file_perms; + allow profcollectd profcollectd_data_file:dir rw_dir_perms; + + # Allow profcollectd to publish a binder service and make binder calls. + binder_use(profcollectd) + add_service(profcollectd, profcollectd_service) +') diff --git a/private/service.te b/private/service.te index 6c17521ac..29932d230 100644 --- a/private/service.te +++ b/private/service.te @@ -2,6 +2,7 @@ type attention_service, system_server_service, service_manager_type; type dynamic_system_service, system_api_service, system_server_service, service_manager_type; type gsi_service, service_manager_type; type incidentcompanion_service, system_api_service, system_server_service, service_manager_type; +type profcollectd_service, service_manager_type; type stats_service, service_manager_type; type statscompanion_service, system_server_service, service_manager_type; type statsmanager_service, system_api_service, system_server_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index d17b4a554..254ab5f72 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -168,6 +168,7 @@ power u:object_r:power_service:s0 print u:object_r:print_service:s0 processinfo u:object_r:processinfo_service:s0 procstats u:object_r:procstats_service:s0 +profcollectd u:object_r:profcollectd_service:s0 radio.phonesubinfo u:object_r:radio_service:s0 radio.phone u:object_r:radio_service:s0 radio.sms u:object_r:radio_service:s0 diff --git a/private/shell.te b/private/shell.te index 2a2af0ffb..9758b3668 100644 --- a/private/shell.te +++ b/private/shell.te @@ -143,3 +143,8 @@ userdebug_or_eng(`set_prop(shell, persist_debug_prop)') # Allow to read graphics related properties. get_prop(shell, graphics_config_prop) + +# Allow to issue control commands to profcollectd binder service. +userdebug_or_eng(` + allow shell profcollectd:binder call; +') diff --git a/private/system_server.te b/private/system_server.te index c2b4234a0..81988fd1a 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -797,6 +797,9 @@ allow system_server surfaceflinger_service:service_manager find; allow system_server update_engine_service:service_manager find; allow system_server vold_service:service_manager find; allow system_server wifinl80211_service:service_manager find; +userdebug_or_eng(` + allow system_server profcollectd_service:service_manager find; +') add_service(system_server, batteryproperties_service)