Allow heapprofd to read shell_data_file.
This allows to profile binaries pushed by the user.
Test: run profile of out of tree perfetto on flame userdebug.
Bug: 170208766
Change-Id: I152d6d244cc5065ee2de24f839e4ad467bc22cdc
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7bd60a4..7e16b9b 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -45,6 +45,7 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+ r_dir_file(heapprofd, shell_data_file)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/public/domain.te b/public/domain.te
index 931a045..301d541 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1186,6 +1186,7 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1213,6 +1214,7 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1224,6 +1226,7 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the