Merge changes from topics "norootintegrationtest", "profileshelltestdatafile"

* changes:
  Allow shell to create shell_[test_]_data_file sockets.
  Allow heapprofd to read shell_test_data_file.
This commit is contained in:
Florian Mayer 2021-02-10 11:16:10 +00:00 committed by Gerrit Code Review
commit 7b3ae03026
3 changed files with 5 additions and 1 deletions

View file

@ -45,6 +45,7 @@ r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file) r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file) r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type) r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
# Some dex files are not world-readable. # Some dex files are not world-readable.
# We are still constrained by the SELinux rules above. # We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search; allow heapprofd self:global_capability_class_set dac_read_search;

View file

@ -478,7 +478,9 @@ neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms; neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms; neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:file *; neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
# Only the init property service should write to /data/property and /dev/__properties__ # Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms; neverallow { domain -init } property_data_file:dir no_w_dir_perms;

View file

@ -30,6 +30,7 @@ allow shell shell_test_data_file:dir create_dir_perms;
allow shell shell_test_data_file:file create_file_perms; allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms; allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms; allow shell shell_test_data_file:lnk_file create_file_perms;
allow shell shell_test_data_file:sock_file create_file_perms;
# Read and delete from /data/local/traces. # Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink }; allow shell trace_data_file:file { r_file_perms unlink };