From 0187b2311350df7f2159fe9bf934aeb1f009769c Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Mon, 23 Oct 2017 16:25:11 -0700
Subject: [PATCH] Adding statscompanion_service and a dontaudit for find/add

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/service_contexts            | 1 +
 private/system_server.te            | 3 +++
 public/service.te                   | 1 +
 4 files changed, 6 insertions(+)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2cb4d09ef..23b829977 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -22,6 +22,7 @@
     mediaprovider_tmpfs
     netd_stable_secret_prop
     package_native_service
+    statscompanion_service
     storaged_data_file
     sysfs_fs_ext4_features
     system_boot_reason_prop
diff --git a/private/service_contexts b/private/service_contexts
index 86a6032a6..ac7fb8ef7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -140,6 +140,7 @@ simphonebook_msim                         u:object_r:radio_service:s0
 simphonebook2                             u:object_r:radio_service:s0
 simphonebook                              u:object_r:radio_service:s0
 sip                                       u:object_r:radio_service:s0
+statscompanion                            u:object_r:statscompanion_service:s0
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 storaged                                  u:object_r:storaged_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 9879913aa..b38509c67 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -786,3 +786,6 @@ neverallow system_server { domain -system_server }:process ptrace;
 # file read access. However, that is now unnecessary (b/34951864)
 # This neverallow can be removed after b/34951864 is fixed.
 neverallow system_server system_server:capability sys_resource;
+
+# TODO(b/67468181): Remove following lines upon resolution of this bug
+dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/public/service.te b/public/service.te
index fe26020d9..3b9d60b67 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@ type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type statscompanion_service,    service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;