Merge "Allow traced_probes to read packages.list." am: 5686c383c8

am: 2ace731692

Change-Id: Ie1fb7afa8e140f5d2b110d56a9dba448e8207a2b

private/traced_probes.te

@@ -29,6 +29,9 @@ allow traced_probes self:global_capability_class_set { sys_nice };
 # Allow procfs access
 r_dir_file(traced_probes, domain)
 
+# Allow to read packages.list file.
+allow traced_probes packages_list_file:file r_file_perms;
+
 # Allow to log to kernel dmesg when starting / stopping ftrace.
 allow traced_probes kmsg_device:chr_file write;
 
@@ -41,7 +44,8 @@ allow traced_probes self:global_capability_class_set dac_read_search;
 allow traced_probes apk_data_file:dir { getattr open read search };
 allow traced_probes dalvikcache_data_file:dir { getattr open read search };
 userdebug_or_eng(`
-allow traced_probes system_data_file:dir { getattr open read search };
+# search and getattr are granted via domain and coredomain, respectively.
+allow traced_probes system_data_file:dir { open read };
 ')
 allow traced_probes system_app_data_file:dir { getattr open read search };
 allow traced_probes backup_data_file:dir { getattr open read search };
@@ -108,7 +112,7 @@ neverallow traced_probes {
 neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
 neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
 
 # Only init is allowed to enter the traced_probes domain via exec()
 neverallow { domain -init } traced_probes:process transition;