Add sepolicy for profcollectd This does not yet list all the required capabilities for profcollectd, but it at least allows the service to start under permissive mode. Bug: 79161490 Test: start profcollectd Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030

commit: 239c85dd0d33ab9d3144dc12d7546ad72aca8d8c [log] [tgz]
author: Yi Kong <yikong@google.com> Thu Jun 18 12:43:23 2020 +0800
committer: Yi Kong <yikong@google.com> Wed Jul 01 23:44:37 2020 +0800
tree: 40ecc08e21a67164fca4360627c75326587e3822
parent: eed690476be79efdce73e66ff7bb7627c2aa7649 [diff]
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2c4dce1..44a6799 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -8,5 +8,9 @@
     apex_info_file
     debugfs_kprobes
     gnss_device
-    mediatranscoding_tmpfs))
+    mediatranscoding_tmpfs
+    profcollectd
+    profcollectd_data_file
+    profcollectd_exec
+    profcollectd_service))
 

diff --git a/private/file.te b/private/file.te
index 4492002..5225cdc 100644
--- a/private/file.te
+++ b/private/file.te

@@ -26,3 +26,6 @@
 
 # /data/misc/emergencynumberdb
 type emergency_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/profcollectd
+type profcollectd_data_file, file_type, data_file_type, core_data_file_type;

diff --git a/private/file_contexts b/private/file_contexts
index 75bca42..c477c67 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -310,6 +310,7 @@
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
+/system/bin/profcollectd         u:object_r:profcollectd_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
@@ -550,6 +551,7 @@
 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
 /data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
+/data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0

diff --git a/private/profcollectd.te b/private/profcollectd.te
new file mode 100644
index 0000000..6b861af
--- /dev/null
+++ b/private/profcollectd.te

@@ -0,0 +1,15 @@
+# profcollectd - hardware profile collection daemon
+type profcollectd, domain, coredomain;
+type profcollectd_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(profcollectd)
+
+  # profcollectd opens a file for writing in /data/misc/profcollectd
+  allow profcollectd profcollectd_data_file:file create_file_perms;
+  allow profcollectd profcollectd_data_file:dir rw_dir_perms;
+
+  # Allow profcollectd to publish a binder service and make binder calls.
+  binder_use(profcollectd)
+  add_service(profcollectd, profcollectd_service)
+')

diff --git a/private/service.te b/private/service.te
index 6c17521..29932d2 100644
--- a/private/service.te
+++ b/private/service.te

@@ -2,6 +2,7 @@
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;
+type profcollectd_service,          service_manager_type;
 type stats_service,                 service_manager_type;
 type statscompanion_service,        system_server_service, service_manager_type;
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index d17b4a5..254ab5f 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -168,6 +168,7 @@
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0
 procstats                                 u:object_r:procstats_service:s0
+profcollectd                              u:object_r:profcollectd_service:s0
 radio.phonesubinfo                        u:object_r:radio_service:s0
 radio.phone                               u:object_r:radio_service:s0
 radio.sms                                 u:object_r:radio_service:s0

diff --git a/private/shell.te b/private/shell.te
index 2a2af0f..9758b36 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -143,3 +143,8 @@
 
 # Allow to read graphics related properties.
 get_prop(shell, graphics_config_prop)
+
+# Allow to issue control commands to profcollectd binder service.
+userdebug_or_eng(`
+  allow shell profcollectd:binder call;
+')

diff --git a/private/system_server.te b/private/system_server.te
index c2b4234..81988fd 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -797,6 +797,9 @@
 allow system_server update_engine_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
+userdebug_or_eng(`
+  allow system_server profcollectd_service:service_manager find;
+')
 
 add_service(system_server, batteryproperties_service)
commit	239c85dd0d33ab9d3144dc12d7546ad72aca8d8c	[log] [tgz]
author	Yi Kong <yikong@google.com>	Thu Jun 18 12:43:23 2020 +0800
committer	Yi Kong <yikong@google.com>	Wed Jul 01 23:44:37 2020 +0800
tree	40ecc08e21a67164fca4360627c75326587e3822
parent	eed690476be79efdce73e66ff7bb7627c2aa7649 [diff]