Statsd allow shell in selinux policy
CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.
Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.
Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
diff --git a/private/shell.te b/private/shell.te
index 9b7235b..130a130 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -45,6 +45,9 @@
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 7221cba..2e8b684 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -72,6 +72,11 @@
allow statsd proc_uid_cputime_showstat:file { getattr open read };
hal_client_domain(statsd, hal_power)
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { read write };
+
+
###
### neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index cd697a1..d6be5a3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,6 +58,9 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)