bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
This commit is contained in:
Yongqin Liu
parent
7d1b6c8792
commit
cc38e6d1a4
5 changed files with 19 additions and 1 deletions
2
adbd.te
2
adbd.te
|
|
@ -80,3 +80,5 @@ allow adbd system_file:file r_file_perms;
|
|||
allow adbd kernel:security read_policy;
|
||||
|
||||
allow adbd surfaceflinger_service:service_manager find;
|
||||
allow adbd bootchart_data_file:dir search;
|
||||
allow adbd bootchart_data_file:file r_file_perms;
|
||||
|
|
|
|||
2
file.te
2
file.te
|
|
@ -79,6 +79,8 @@ type shell_data_file, file_type, data_file_type, mlstrustedobject;
|
|||
type gps_data_file, file_type, data_file_type;
|
||||
# /data/property
|
||||
type property_data_file, file_type, data_file_type;
|
||||
# /data/bootchart
|
||||
type bootchart_data_file, file_type, data_file_type;
|
||||
|
||||
# /data/misc subdirectories
|
||||
type adb_keys_file, file_type, data_file_type;
|
||||
|
|
|
|||
|
|
@ -227,6 +227,9 @@
|
|||
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
|
||||
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
|
||||
|
||||
# Bootchart data
|
||||
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
|
||||
|
||||
# coredump directory for userdebug/eng devices
|
||||
/cores(/.*)? u:object_r:coredump_file:s0
|
||||
|
||||
|
|
|
|||
7
init.te
7
init.te
|
|
@ -1,5 +1,5 @@
|
|||
# init switches to init domain (via init.rc).
|
||||
type init, domain;
|
||||
type init, domain, mlstrustedsubject;
|
||||
permissive_or_unconfined(init)
|
||||
tmpfs_domain(init)
|
||||
|
||||
|
|
@ -164,6 +164,11 @@ allow init shell_data_file:file { getattr };
|
|||
# Set UID and GID for services.
|
||||
allow init self:capability { setuid setgid };
|
||||
|
||||
# For bootchart to read the /proc/$pid/cmdline file of each process,
|
||||
# we need to have following line to allow init to have access
|
||||
# to different domains.
|
||||
r_dir_file(init, domain)
|
||||
|
||||
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
||||
# setexec is for services with seclabel options.
|
||||
# setfscreate is for labeling directories and socket files.
|
||||
|
|
|
|||
6
shell.te
6
shell.te
|
|
@ -64,3 +64,9 @@ allow shell service_manager_type:service_manager find;
|
|||
# allow shell to look through /proc/ for ps, top
|
||||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
# enable shell domain to read/write files/dirs for bootchart data
|
||||
# User will creates the start and stop file via adb shell
|
||||
# and read other files created by init process under /data/bootchart
|
||||
allow shell bootchart_data_file:dir rw_dir_perms;
|
||||
allow shell bootchart_data_file:file create_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue