Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d84b3436cd40364865ac087a1e7f9cb179ed5d0d^! / .
commitd84b3436cd40364865ac087a1e7f9cb179ed5d0d[log] [tgz]
authorYu-Ting Tseng <yutingtseng@google.com>Tue Jul 09 00:55:21 2024 -0700
committerYu-Ting Tseng <yutingtseng@google.com>Tue Jul 09 01:04:07 2024 -0700
treed9c81ef0ff35b6e7d93c6ba3536681afc8e482a6
parentd2c9226244cf1ac5b9717f5744e9864c754f26b4 [diff]
Fix the sepolicy issue around shell and oatdump

aosp/2876742 changed the file context of oatdump from system_file to
oatdump_exec, which broke shell access on older platform versions. This
change fixes the issue by changing the file context back to system_file.
Also grant uprobestats rx_file_perms to system_file so it can execute
oatdump.

Bug: 350628688
Test: m hello_uprobestats && hello_uprobestats
Change-Id: If41c48b8a1ea76e83784fddbeb43d14a628a4060

diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 14b68ad..ed12f10 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts

@@ -10,5 +10,4 @@
 /bin/dexoptanalyzer            u:object_r:dexoptanalyzer_exec:s0
 /bin/odrefresh                 u:object_r:odrefresh_exec:s0
 /bin/profman                   u:object_r:profman_exec:s0
-/bin/oatdump                   u:object_r:oatdump_exec:s0
 /lib(64)?(/.*)?                u:object_r:system_lib_file:s0

diff --git a/private/file.te b/private/file.te
index f8a48cd..21c9455 100644
--- a/private/file.te
+++ b/private/file.te

@@ -37,9 +37,6 @@
 # /data/misc/uprobestats-configs for uprobestats configs
 type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
 
-# /apex/com.android.art/bin/oatdump
-type oatdump_exec, system_file_type, exec_type, file_type;
-
 # /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
 type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes

diff --git a/private/shell.te b/private/shell.te
index d613a94..9944bd1 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -261,9 +261,6 @@
 # Allow shell to read the build properties for attestation feature
 get_prop(shell, build_attestation_prop)
 
-# Allow shell to execute oatdump.
-allow shell oatdump_exec:file rx_file_perms;
-
 # Allow shell access to socket for test
 userdebug_or_eng(`
     allow shell aconfigd_socket:sock_file write;

diff --git a/private/uprobestats.te b/private/uprobestats.te
index f6dd906..2c5711f 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te

@@ -16,7 +16,7 @@
 allow uprobestats sysfs_uprobe:dir { search };
 
 # Allow uprobestats to popen oatdump.
-allow uprobestats oatdump_exec:file rx_file_perms;
+allow uprobestats system_file:file rx_file_perms;
 
 # Allow uprobestats to write atoms to statsd
 unix_socket_send(uprobestats, statsdw, statsd)