Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 356772e4916ab128a605fc7f09479ebf8973c450^2..356772e4916ab128a605fc7f09479ebf8973c450 / .
commit356772e4916ab128a605fc7f09479ebf8973c450[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Wed Jan 24 19:37:02 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Jan 24 19:37:02 2018 +0000
tree242cf8c8ce2ada57a9e03885f6e40d61559d483e
parent24e8eff35daef6bca5cc3bef8e87a5d291bd5570 [diff]
parentcf38ca5ed05e728cdcb5bce0f3c4a67e72005045 [diff]
Merge "Update sepolicy of statsd to be able to find incident_service"
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 184d18d..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil

@@ -479,6 +479,7 @@
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
     proc_uid_concurrent_policy_time
+    proc_uid_cpupower
     proc_uptime
     proc_version
     proc_vmallocinfo

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2acaf9f..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -78,6 +78,7 @@
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0

diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -718,6 +718,7 @@
 }:file r_file_perms;
 
 allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
 
 r_dir_file(system_server, rootfs)
 

diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te

@@ -547,3 +547,6 @@
 
 # Apps cannot access proc_uid_concurrent_policy_time
 neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;

diff --git a/public/file.te b/public/file.te
index fc55412..02a4360 100644
--- a/public/file.te
+++ b/public/file.te

@@ -56,6 +56,7 @@
 type proc_uid_time_in_state, fs_type;
 type proc_uid_concurrent_active_time, fs_type;
 type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;

diff --git a/public/vendor_init.te b/public/vendor_init.te
index b1efe1d..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -33,127 +33,47 @@
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
-  -system_file
-  -system_ndebug_socket
-  -unlabeled
-  -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
-  file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
   -runtime_event_log_tags_file
-  -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
-  -app_data_file
-  -bluetooth_data_file
-  -dalvikcache_data_file
+  -core_data_file_type
   -exec_type
-  -incident_data_file
-  -keystore_data_file
-  -misc_logd_file
-  -network_watchlist_data_file
-  -nfc_data_file
-  -property_data_file
-  -radio_data_file
-  -shell_data_file
-  -system_app_data_file
   -system_file
-  -system_ndebug_socket
   -unlabeled
   -vendor_file_type
-  -vold_data_file
-  -zoneinfo_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
   file_type
+  -core_data_file_type
+  -exec_type
   -system_file
   -vendor_file_type
-  -exec_type
-  -vold_data_file
-  -keystore_data_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;