commit 7c6b3eb9633d108206f5f3425cc62a401a1a8860
author Orion Hodson <oth@google.com> Fri Apr 09 15:17:38 2021 +0100
committer Orion Hodson <oth@google.com> Fri Apr 09 15:50:28 2021 +0100
tree 53d5435fd850e297e50813a89b1b9644a48c06a1
parent d6924e587e45f64658448c8575bb45e95cf0bf72

Add odrefresh_data_file for odrefresh metrics

Metrics are written to /data/misc/odrefresh by odrefresh during early
boot, then native code in ART system_server initialization passes them
to statsd and deletes the metrics files. This hand-off is necessary
because statsd does not start until after odsign and odrefresh have run.

Bug: 169925964
Test: manual
Change-Id: I8054519a714907819886dd6e5e78f3b5796d0898

private/odrefresh.te

diff --git a/private/odrefresh.te b/private/odrefresh.te
index e6b1023..6321b3d 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -7,6 +7,10 @@
 allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
 allow odrefresh apex_art_data_file:file create_file_perms;
 
+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
 userfaultfd_use(odrefresh)
 
 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
@@ -36,3 +40,8 @@
 
 # No other processes should be creating files in the staging area.
 neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;