From 251591fa049cb40132a721584a0e5cf2aa5512c8 Mon Sep 17 00:00:00 2001
From: Tim Murray <timmurray@google.com>
Date: Thu, 14 Feb 2019 09:26:46 -0800
Subject: [PATCH] sepolicy: Grant system_server and init access to
 /proc/pressure/memory

Need ability for system components to access psi memory pressure file.
Add required permissions for system_server and init to access
/proc/pressure/memory file.

Bug: 129476847
Test: system_server can read /proc/pressure/memory
Change-Id: I10ce4f4fe0e3618fa77539e93246d0aae933082c
Signed-off-by: Tim Murray <timmurray@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
 private/system_server.te | 3 +++
 public/init.te           | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/private/system_server.te b/private/system_server.te
index bf9c95041..6dcecad9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1024,6 +1024,9 @@ allow system_server metadata_file:dir search;
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# Read/Write /proc/pressure/memory
+allow system_server proc_pressure_mem:file rw_file_perms;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/public/init.te b/public/init.te
index 6cbb164ec..177005f25 100644
--- a/public/init.te
+++ b/public/init.te
@@ -553,6 +553,9 @@ allow servicemanager init:binder transfer;
 # Allow calls from init to apexd
 allow init apexd:binder call;
 
+# Allow init to touch PSI monitors
+allow init proc_pressure_mem:file { rw_file_perms setattr };
+
 ###
 ### neverallow rules
 ###