add common mm_logd sepolicy to allow write data
This CL allows mm_logd access several stat from /proc and
/proc/<pid>/stat and write them to /data/vendor/mm/
Bug: 151100384
Test: boot
Signed-off-by: Martin Liu <liumartin@google.com>
Change-Id: I5b74798b5297d5e6be86cd8c1c9421ad0bb6915a
diff --git a/mm/file.te b/mm/file.te
new file mode 100644
index 0000000..ee45803
--- /dev/null
+++ b/mm/file.te
@@ -0,0 +1,2 @@
+type mm_logd_vendor_data_file, file_type, data_file_type;
+
diff --git a/mm/file_contexts b/mm/file_contexts
new file mode 100644
index 0000000..a4bd033
--- /dev/null
+++ b/mm/file_contexts
@@ -0,0 +1,3 @@
+/vendor/bin/mm_logd u:object_r:init-mm-logging-sh_exec:s0
+/data/vendor/mm(/.*)? u:object_r:mm_logd_vendor_data_file:s0
+
diff --git a/mm/init-mm-logging.sh.te b/mm/init-mm-logging.sh.te
new file mode 100644
index 0000000..ae05e7b
--- /dev/null
+++ b/mm/init-mm-logging.sh.te
@@ -0,0 +1,19 @@
+type init-mm-logging-sh, domain;
+type init-mm-logging-sh_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-mm-logging-sh)
+
+dontaudit init-mm-logging-sh { domain -kernel }:{ file dir } *;
+dontaudit init-mm-logging-sh self:capability sys_ptrace;
+
+userdebug_or_eng(`
+ allow init-mm-logging-sh vendor_toolbox_exec:file rx_file_perms;
+ allow init-mm-logging-sh proc_vmstat:file r_file_perms;
+ allow init-mm-logging-sh mm_logd_vendor_data_file:dir create_dir_perms;
+ allow init-mm-logging-sh mm_logd_vendor_data_file:file create_file_perms;
+ # Allow /proc/<pid>/stat
+ allow init-mm-logging-sh kernel:dir r_dir_perms;
+ allow init-mm-logging-sh kernel:file r_file_perms;
+ allow init-mm-logging-sh proc_stat:file r_file_perms;
+')
+