commit 11bfc05cedef984b748a49eea8dfdda2e3eeadbf
author Paul Crowley <paulcrowley@google.com> Thu May 10 16:54:46 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu May 10 16:54:46 2018 +0000
tree 1ad5fadf14831886ffd60e86a6145356d354c87e
parent 6ff0f490db972983202a078ad8ea3377b98a9e64
parent 9f760306ae202e07a83fb3b1a63b9e8821ff2ea7

Merge "Add wait_for_keymaster"

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 48ec634..60d3718 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -778,6 +778,11 @@
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 2be6da6..4293f52 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`