Permit dropping caches from the shell through sys.drop_caches. * Permits setting the sys.drop_caches property from shell. * Permits init to read and write to the drop_caches file. * Can only be set to 3 (drop_caches) and 0 (unset). Bug: 178647679 Test: flashed user build and set property; no avc denials. Test: flashed userdebug build and dropped caches w/o root. Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d

commit: 3ccbebb415f25bd12c3870c378f5794bc7388498 [log] [tgz]
author: Michael Rosenfeld <mrosenfeld@google.com> Wed Feb 10 18:45:35 2021 -0800
committer: Michael Rosenfeld <mrosenfeld@google.com> Fri Mar 19 10:55:51 2021 -0700
tree: 0a5dea2e145657b27e27b52365b6c0130e034c21
parent: bd0268c0200a5d79d9797c90e53b6f525b660bdf [diff] [blame]
diff --git a/private/shell.te b/private/shell.te
index a99ada8..66e2d4d 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -121,6 +121,7 @@
 set_prop(shell, dumpstate_prop)
 set_prop(shell, exported_dumpstate_prop)
 set_prop(shell, debug_prop)
+set_prop(shell, perf_drop_caches_prop)
 set_prop(shell, powerctl_prop)
 set_prop(shell, log_tag_prop)
 set_prop(shell, wifi_log_prop)
@@ -189,3 +190,7 @@
 
 # Allow shell to read Virtual A/B related properties
 get_prop(shell, virtual_ab_prop)
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
commit	3ccbebb415f25bd12c3870c378f5794bc7388498	[log] [tgz]
author	Michael Rosenfeld <mrosenfeld@google.com>	Wed Feb 10 18:45:35 2021 -0800
committer	Michael Rosenfeld <mrosenfeld@google.com>	Fri Mar 19 10:55:51 2021 -0700
tree	0a5dea2e145657b27e27b52365b6c0130e034c21
parent	bd0268c0200a5d79d9797c90e53b6f525b660bdf [diff] [blame]