Merge "Permit dropping caches from the shell through sys.drop_caches." am: 133496f8a4 am: f4527315ac am: dae1587e83

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1584526 Change-Id: I2f86f9bc2009439fd76ede803bb32d7670b7ae88
2021-03-22 20:15:54 +00:00 · 2021-03-22 20:15:54 +00:00 · 3fb2e9c2f6
commit 3fb2e9c2f6
parent 4d6e6387b1 dae1587e83
4 changed files with 13 additions and 0 deletions
--- a/private/init.te
+++ b/private/init.te
@ -38,6 +38,9 @@ userdebug_or_eng(`
 # that userdata is mounted onto.
 allow init sysfs_dm:file read;

+# Allow init to write to the drop_caches file.
+allow init proc_drop_caches:file rw_file_perms;
+
 # Allow the BoringSSL self test to request a reboot upon failure
 set_prop(init, powerctl_prop)

--- a/private/property.te
+++ b/private/property.te
@ -23,6 +23,7 @@ system_internal_prop(net_464xlat_fromvendor_prop)
 system_internal_prop(net_connectivity_prop)
 system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(odsign_prop)
+system_internal_prop(perf_drop_caches_prop)
 system_internal_prop(pm_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
--- a/private/property_contexts
+++ b/private/property_contexts
@ -260,6 +260,10 @@ ro.nnapi.extensions.deny_on_product                u:object_r:nnapi_ext_deny_pro
 # Property that is set once ueventd finishes cold boot.
 ro.cold_boot_done       u:object_r:cold_boot_done_prop:s0

+# Properties that control performance operations.
+# Leave space to later set drop_caches to 1, 2, and 4.
+perf.drop_caches        u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
+
 # Charger properties
 ro.charger.                 u:object_r:charger_prop:s0
 sys.boot_from_charger_mode  u:object_r:charger_status_prop:s0 exact int
--- a/private/shell.te
+++ b/private/shell.te
@ -121,6 +121,7 @@ set_prop(shell, ctl_dumpstate_prop)
 set_prop(shell, dumpstate_prop)
 set_prop(shell, exported_dumpstate_prop)
 set_prop(shell, debug_prop)
+set_prop(shell, perf_drop_caches_prop)
 set_prop(shell, powerctl_prop)
 set_prop(shell, log_tag_prop)
 set_prop(shell, wifi_log_prop)
@ -189,3 +190,7 @@ get_prop(shell, verity_status_prop)

 # Allow shell to read Virtual A/B related properties
 get_prop(shell, virtual_ab_prop)
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;