commit 0187b2311350df7f2159fe9bf934aeb1f009769c
author Max Bires <jbires@google.com> Mon Oct 23 16:25:11 2017 -0700
committer Max Bires <jbires@google.com> Mon Oct 23 16:45:13 2017 -0700
tree ad047f7a5b0d6679a57107ec7c7efaf7b303fc65
parent 1b223839e042a1c3e5329756cbc601b65e11d94b

Adding statscompanion_service and a dontaudit for find/add

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2cb4d09..23b8299 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -22,6 +22,7 @@
     mediaprovider_tmpfs
     netd_stable_secret_prop
     package_native_service
+    statscompanion_service
     storaged_data_file
     sysfs_fs_ext4_features
     system_boot_reason_prop

private/service_contexts

diff --git a/private/service_contexts b/private/service_contexts
index 86a6032..ac7fb8e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -140,6 +140,7 @@
 simphonebook2                             u:object_r:radio_service:s0
 simphonebook                              u:object_r:radio_service:s0
 sip                                       u:object_r:radio_service:s0
+statscompanion                            u:object_r:statscompanion_service:s0
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 storaged                                  u:object_r:storaged_service:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 9879913..b38509c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -786,3 +786,6 @@
 # file read access. However, that is now unnecessary (b/34951864)
 # This neverallow can be removed after b/34951864 is fixed.
 neverallow system_server system_server:capability sys_resource;
+
+# TODO(b/67468181): Remove following lines upon resolution of this bug
+dontaudit system_server statscompanion_service:service_manager { add find };

public/service.te

diff --git a/public/service.te b/public/service.te
index fe26020..3b9d60b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
+type statscompanion_service,    service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;