commit 98de322a03ead33070684c0f10de13d5b8faebe1
author Howard Ro <yro@google.com> Mon Oct 08 13:15:10 2018 -0700
committer Howard Ro <yro@google.com> Mon Oct 08 13:48:28 2018 -0700
tree 6d0bc3d388694c52e02f34abc63faa165995afac
parent dcd5b544a62e8e2cfa6252a08e9934a0a8b78ffa

Allow zygote to write to statsd and refactor

We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.

Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 6d3d1e3..e916415 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -167,6 +167,9 @@
 unix_socket_connect(system_server, racoon, racoon)
 unix_socket_connect(system_server, uncrypt, uncrypt)
 
+# Allow system_server to write to statsd.
+unix_socket_send(system_server, statsdw, statsd)
+
 # Communicate over a socket created by surfaceflinger.
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 3affec1..0b087ac 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -96,6 +96,9 @@
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
 
+# Allow zygote to write to statsd.
+unix_socket_send(zygote, statsdw, statsd)
+
 # Root fs.
 r_dir_file(zygote, rootfs)
 

public/bootstat.te

diff --git a/public/bootstat.te b/public/bootstat.te
index ce14c2f..a2a060b 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -26,6 +26,9 @@
 # Allow access to reading the logs to read aspects of system health
 read_logd(bootstat)
 
+# Allow bootstat write to statsd.
+unix_socket_send(bootstat, statsdw, statsd)
+
 # ToDo: end
 
 neverallow {

public/lmkd.te

diff --git a/public/lmkd.te b/public/lmkd.te
index 54199e1..0fc5d0f 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -49,6 +49,9 @@
 # Read /proc/meminfo
 allow lmkd proc_meminfo:file r_file_perms;
 
+# Allow lmkd to write to statsd.
+unix_socket_send(lmkd, statsdw, statsd)
+
 ### neverallow rules
 
 # never honor LD_PRELOAD

public/statsd.te

diff --git a/public/statsd.te b/public/statsd.te
index 384ce8a..603ee14 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -67,10 +67,7 @@
 allow statsd adbd:unix_stream_socket { getattr read write };
 allow statsd shell:fifo_file { getattr read };
 
-unix_socket_send(bootstat, statsdw, statsd)
-unix_socket_send(lmkd, statsdw, statsd)
 unix_socket_send(statsd, statsdw, statsd)
-unix_socket_send(system_server, statsdw, statsd)
 
 ###
 ### neverallow rules