commit 36dd2a410cfd1f95ba8dba44f0eda0c791ae71b6
author yro <yro@google.com> Thu Mar 29 11:07:13 2018 -0700
committer yro <yro@google.com> Fri Mar 30 15:58:58 2018 -0700
tree f70b4c5484a9bdd4a045df5b8d35cd6197be6622
parent 4bdefb59ca96cbd034c400235515fecfc9568f67

Update sepolicy to have system_server access stats_data

Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785

private/statsd.te

diff --git a/private/statsd.te b/private/statsd.te
index dfec7a4..fec10a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -101,7 +101,7 @@
 # Only statsd and the other root services in limited circumstances.
 # can get to the files in /data/misc/stats-data, /data/misc/stats-service.
 # Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
 
 # Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 99c5442..0d9f72c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -135,6 +135,10 @@
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;