Merge "Add odrefresh_data_file for odrefresh metrics" am: cb0627099e
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1671828 Change-Id: Iab1f924e011fc8d32fe3c69c608846918d7fa209
This commit is contained in:
commit
8684e82953
4 changed files with 17 additions and 0 deletions
|
@ -51,6 +51,9 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
# /data/font/files
|
# /data/font/files
|
||||||
type font_data_file, file_type, data_file_type, core_data_file_type;
|
type font_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
# /data/misc/odrefresh
|
||||||
|
type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
# /data/misc/odsign
|
# /data/misc/odsign
|
||||||
type odsign_data_file, file_type, data_file_type, core_data_file_type;
|
type odsign_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
|
|
@ -599,6 +599,7 @@
|
||||||
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
||||||
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
|
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
|
||||||
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
|
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
|
||||||
|
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
|
||||||
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
|
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
|
||||||
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
|
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
|
||||||
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
|
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
|
||||||
|
|
|
@ -7,6 +7,10 @@ allow odrefresh apex_module_data_file:dir { getattr search };
|
||||||
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
|
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
|
||||||
allow odrefresh apex_art_data_file:file create_file_perms;
|
allow odrefresh apex_art_data_file:file create_file_perms;
|
||||||
|
|
||||||
|
# Allow odrefresh to create data files (typically for metrics before statsd starts).
|
||||||
|
allow odrefresh odrefresh_data_file:dir create_dir_perms;
|
||||||
|
allow odrefresh odrefresh_data_file:file create_file_perms;
|
||||||
|
|
||||||
userfaultfd_use(odrefresh)
|
userfaultfd_use(odrefresh)
|
||||||
|
|
||||||
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
|
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
|
||||||
|
@ -36,3 +40,8 @@ allow odrefresh apex_info_file:file r_file_perms;
|
||||||
|
|
||||||
# No other processes should be creating files in the staging area.
|
# No other processes should be creating files in the staging area.
|
||||||
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
|
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
|
||||||
|
|
||||||
|
# No processes other than init, odrefresh and system_server access
|
||||||
|
# odrefresh_data_files.
|
||||||
|
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
|
||||||
|
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
|
||||||
|
|
|
@ -1280,6 +1280,10 @@ allow system_server watchdog_metadata_file:file create_file_perms;
|
||||||
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
|
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
|
||||||
allow system_server gsi_persistent_data_file:file create_file_perms;
|
allow system_server gsi_persistent_data_file:file create_file_perms;
|
||||||
|
|
||||||
|
# Allow system server read and remove files under /data/misc/odrefresh
|
||||||
|
allow system_server odrefresh_data_file:dir rw_dir_perms;
|
||||||
|
allow system_server odrefresh_data_file:file { r_file_perms unlink };
|
||||||
|
|
||||||
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
|
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
|
||||||
allow system_server surfaceflinger_exec:file r_file_perms;
|
allow system_server surfaceflinger_exec:file r_file_perms;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue