tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/statsd.te
yro 31b11d8ef8 Update priv_app selinux policy to allow gmscore to be able to 
communicate with statsd

Test: manual testing conducted
Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
2018-01-09 20:39:09 +00:00

74 lines
2 KiB
Text
Raw Blame History

type statsd, domain;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
type statsd_exec, exec_type, file_type;
binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
r_dir_file(statsd, domain)
# Allow executing files on system, such as running a shell or running:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow statsd shell_exec:file rx_file_perms;
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
allow statsd stats_data_file:dir create_dir_perms;
allow statsd stats_data_file:file create_file_perms;
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
binder_call(statsd, incidentd)
binder_call(statsd, statscompanion_service)
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
# Grant statsd with permissions to register the services.
allow statsd {
statscompanion_service
app_api_service
system_api_service
}:service_manager find;
# Only statsd can publish the binder service.
add_service(statsd, stats_service)
# Allow pipes from (and only from) stats.
allow statsd stats:fd use;
allow statsd stats:fifo_file write;
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
###
### neverallow rules
###
# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
-priv_app
-shell
-stats
-statsd
-system_app
-system_server
userdebug_or_eng(`-traceur_app')
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
# Limited access to the directory itself.
neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
Reference in a new issue View git blame Copy permalink