commit b7bb6490df82be57764be67e1a94120fe1e5efaa
author Yi Kong <yikong@google.com> Tue Jul 27 17:06:50 2021 +0800
committer Yi Kong <yikong@google.com> Thu Jul 29 01:12:29 2021 +0800
tree e6e7203eea6381c298255dc29d8b3ae1e130b4bf
parent 359aea7d4917e5a64378464261a5dccf9661d11f

Allow shell to read profcollect data files

Also guard all profcollect related entries with userdebug/eng only and
move them into one place.

Test: manual
Bug: 183487233
Bug: 194155753
Change-Id: If3399bb78b60f0367267e67573007ed72508279a

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 2f983f2..dc820bd 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -106,8 +106,16 @@
 # Allow shell to execute simpleperf without a domain transition.
 allow shell simpleperf_exec:file rx_file_perms;
 
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
+userdebug_or_eng(`
+  # Allow shell to execute profcollectctl without a domain transition.
+  allow shell profcollectd_exec:file rx_file_perms;
+
+  # Allow shell to read profcollectd data files.
+  r_dir_file(shell, profcollectd_data_file)
+
+  # Allow to issue control commands to profcollectd binder service.
+  allow shell profcollectd:binder call;
+')
 
 # Allow shell to call perf_event_open for profiling other shell processes, but
 # not the whole system.
@@ -173,11 +181,6 @@
 
 userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
 
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
-  allow shell profcollectd:binder call;
-')
-
 # Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
 allow shell keystore2_key_contexts_file:file r_file_perms;