Allow snapuserd to write log files to /data/misc
snapuserd logs are important when OTA failures happen. To make debugging
easier, allow snapuserd to persist logs in /data/misc/snapuserd_logs ,
and capture these logs in bugreport.
Bug: 280127810
Change-Id: I49e30fd97ea143e7b9c799b0c746150217d5cbe0
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3bfdcc8..5e165a6 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -60,6 +60,7 @@
rkpdapp
servicemanager_prop
shutdown_checkpoints_system_data_file
+ snapuserd_log_data_file
stats_config_data_file
sysfs_fs_fuse_features
system_net_netd_service
diff --git a/private/file_contexts b/private/file_contexts
index b1c7508..bb86761 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -664,6 +664,7 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/misc/snapuserd_log(/.*)? u:object_r:snapuserd_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 797a6c2..8cd9e63 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -57,6 +57,13 @@
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+# write to /data/misc/snapuserd_log
+allow snapuserd snapuserd_log_data_file:dir create_dir_perms;
+allow snapuserd snapuserd_log_data_file:file create_file_perms;
+
+# Read /proc/stat to determine boot time
+allow snapuserd proc_stat:file r_file_perms;
+
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 58d6efa..cc3678c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -259,6 +259,9 @@
# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
diff --git a/public/file.te b/public/file.te
index da76aee..7aad936 100644
--- a/public/file.te
+++ b/public/file.te
@@ -460,6 +460,7 @@
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+type snapuserd_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;