Allow system server to write profile snapshots in /data/misc/profman
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.
The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.
Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
(cherry picked from commit 687d5e46ce81608b308ff0ae4ba9edeb878be8aa)
Merged-In: I54690305284b92c0e759538303cb98c93ce92dd5
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
diff --git a/private/system_server.te b/private/system_server.te
index 48ec634..60d3718 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -778,6 +778,11 @@
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 2be6da6..4293f52 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`