Merge "Add odrefresh_data_file for odrefresh metrics" am: cb0627099e

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1671828 Change-Id: Iab1f924e011fc8d32fe3c69c608846918d7fa209
2021-04-15 10:09:30 +00:00 · 2021-04-15 10:09:30 +00:00 · 8684e82953
commit 8684e82953
parent 2933f3aab0 cb0627099e
4 changed files with 17 additions and 0 deletions
--- a/private/file.te
+++ b/private/file.te
@ -51,6 +51,9 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;

+# /data/misc/odrefresh
+type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/odsign
 type odsign_data_file, file_type, data_file_type, core_data_file_type;

--- a/private/file_contexts
+++ b/private/file_contexts
@ -599,6 +599,7 @@
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
 /data/misc/nfc/logs(/.*)?       u:object_r:nfc_logs_data_file:s0
+/data/misc/odrefresh(/.*)?      u:object_r:odrefresh_data_file:s0
 /data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
 /data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@ -7,6 +7,10 @@ allow odrefresh apex_module_data_file:dir { getattr search };
 allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
 allow odrefresh apex_art_data_file:file create_file_perms;

+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
 userfaultfd_use(odrefresh)

 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
@ -36,3 +40,8 @@ allow odrefresh apex_info_file:file r_file_perms;

 # No other processes should be creating files in the staging area.
 neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1280,6 +1280,10 @@ allow system_server watchdog_metadata_file:file create_file_perms;
 allow system_server gsi_persistent_data_file:dir rw_dir_perms;
 allow system_server gsi_persistent_data_file:file create_file_perms;

+# Allow system server read and remove files under /data/misc/odrefresh
+allow system_server odrefresh_data_file:dir rw_dir_perms;
+allow system_server odrefresh_data_file:file { r_file_perms unlink };
+
 # Allow system server r access to /system/bin/surfaceflinger for PinnerService.
 allow system_server surfaceflinger_exec:file r_file_perms;