Merge "Whitelist exported platform properties"

commit: 70d2bb432a2095d3659f8e610878567dd974ef6f [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Wed Jan 10 23:26:14 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jan 10 23:26:14 2018 +0000
tree: f8e7201fb30fa4b532b1eb181668136054c348c4
parent: 73b9d8d8d09241613c0cd90f95eac7555a434f54 [diff]
parent: e49714542ee846a7b14c8edb78303ec94cb4836e [diff]
diff --git a/OWNERS b/OWNERS
index 4bd7e34..c15fa63 100644
--- a/OWNERS
+++ b/OWNERS

@@ -4,3 +4,4 @@
 dcashman@google.com
 jbires@google.com
 sspatil@google.com
+jgalenson@google.com

diff --git a/private/bug_map b/private/bug_map
index d493c55..8b31001 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -4,3 +4,4 @@
 crash_dump app_data_file dir 68319037
 crash_dump bluetooth_data_file dir 68319037
 crash_dump vendor_overlay_file dir 68319037
+statsd statsd capability 71537285

diff --git a/private/statsd.te b/private/statsd.te
index 6b7f8cd..fee1881 100644
--- a/private/statsd.te
+++ b/private/statsd.te

@@ -13,10 +13,15 @@
 #   /system/bin/toolbox
 #   /system/bin/logcat
 #   /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
 allow statsd shell_exec:file rx_file_perms;
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 
+userdebug_or_eng(`
+  allow statsd su:fifo_file read;
+')
+
 # Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
 allow statsd stats_data_file:dir create_dir_perms;
 allow statsd stats_data_file:file create_file_perms;
@@ -25,6 +30,7 @@
 binder_call(statsd, appdomain)
 binder_call(statsd, incidentd)
 binder_call(statsd, statscompanion_service)
+binder_call(statsd, system_server)
 
 # Allow logd access.
 read_logd(statsd)
@@ -50,6 +56,10 @@
 # Allow statsd to call back to stats with status updates.
 binder_call(statsd, stats)
 
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_power)
+
 ###
 ### neverallow rules
 ###

diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 7bdcd84..58e510e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te

@@ -7,7 +7,7 @@
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set dac_override;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
 allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
commit	70d2bb432a2095d3659f8e610878567dd974ef6f	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Wed Jan 10 23:26:14 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Jan 10 23:26:14 2018 +0000
tree	f8e7201fb30fa4b532b1eb181668136054c348c4
parent	73b9d8d8d09241613c0cd90f95eac7555a434f54 [diff]
parent	e49714542ee846a7b14c8edb78303ec94cb4836e [diff]