Merge "Allow profcollectd to store and read its application specific node ID in properties" am: 665c18ebc9

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1648110

Change-Id: I1261398394c507f09c9e9d306a73b3693757eda8

private/compat/30.0/30.0.ignore.cil

@@ -88,6 +88,7 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
+    profcollectd_node_id_prop
     qemu_hw_prop
     qemu_sf_lcd_density_prop
     radio_core_data_file

private/profcollectd.te

@@ -40,6 +40,7 @@ userdebug_or_eng(`
 
   # Allow profcollectd to read its system properties.
   get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+  set_prop(profcollectd, profcollectd_node_id_prop)
 
   # Allow profcollectd to publish a binder service and make binder calls.
   binder_use(profcollectd)

private/property.te

@@ -25,6 +25,7 @@ system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(odsign_prop)
 system_internal_prop(perf_drop_caches_prop)
 system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
 system_internal_prop(system_adbd_prop)
@@ -590,3 +591,12 @@ neverallow {
   -init
   -shell
 } rollback_test_prop:property_service set;
+
+neverallow {
+  # Only allow init and profcollectd to access profcollectd_node_id_prop
+  domain
+  -init
+  -dumpstate
+  -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+

private/property_contexts

@@ -64,6 +64,7 @@ persist.log.tag         u:object_r:log_tag_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id    u:object_r:profcollectd_node_id_prop:s0     exact   string
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
 persist.sys.theme       u:object_r:theme_prop:s0