commit ed413a827d285fb1f820189d4df25563cefcf5e6
author Narayan Kamath <narayan@google.com> Mon Jun 06 13:33:39 2016 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Mon Jun 06 13:33:39 2016 +0000
tree f479effce477560f032f3bc3a08384c581c1b332
parent a34afee0e686496af6650de582843c31132cb2da
parent d82df3bdb8e544fda0cd8250fa3aa527883db643

Merge "sepolicy: broaden system_server access to foreign_dex_data_file." into nyc-dev

adbd.te

diff --git a/adbd.te b/adbd.te
index b44cf0d..9dc41fd 100644
--- a/adbd.te
+++ b/adbd.te
@@ -34,6 +34,10 @@
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
 
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
 # adb push/pull sdcard.
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink

file.te

diff --git a/file.te b/file.te
index ce9eff9..d2894ff 100644
--- a/file.te
+++ b/file.te
@@ -94,6 +94,8 @@
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

file_contexts

diff --git a/file_contexts b/file_contexts
index 062b929..0192ea3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -302,6 +302,7 @@
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 
 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0

installd.te

diff --git a/installd.te b/installd.te
index 0e64041..365722b 100644
--- a/installd.te
+++ b/installd.te
@@ -119,6 +119,9 @@
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
 
 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;

profman.te

diff --git a/profman.te b/profman.te
index 92a23e2..9897069 100644
--- a/profman.te
+++ b/profman.te
@@ -4,6 +4,8 @@
 
 allow profman user_profile_data_file:file { getattr read write lock };
 
+allow profman profman_dump_data_file:file { write };
+
 allow profman installd:fd use;
 
 neverallow profman app_data_file:notdevfile_class_set open;

property.te

diff --git a/property.te b/property.te
index d2a238b..83208cf 100644
--- a/property.te
+++ b/property.te
@@ -23,6 +23,7 @@
 type ctl_console_prop, property_type;
 type audio_prop, property_type, core_property_type;
 type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
 type logd_prop, property_type, core_property_type;
 type mmc_prop, property_type;
 type restorecon_prop, property_type, core_property_type;

property_contexts

diff --git a/property_contexts b/property_contexts
index 70a8080..2ba1551 100644
--- a/property_contexts
+++ b/property_contexts
@@ -33,7 +33,9 @@
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
 log.                    u:object_r:log_prop:s0
+log.tag.                u:object_r:log_tag_prop:s0
 log.tag.WifiHAL         u:object_r:wifi_log_prop:s0
+security.perf_harden    u:object_r:shell_prop:s0
 service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 
@@ -41,7 +43,7 @@
 persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
-persist.log.tag         u:object_r:log_prop:s0
+persist.log.tag.        u:object_r:log_tag_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0

shell.te

diff --git a/shell.te b/shell.te
index d8c6dd4..056eeb6 100644
--- a/shell.te
+++ b/shell.te
@@ -34,6 +34,10 @@
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:file { getattr unlink };
+
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
   allow shell nativetest_data_file:dir r_dir_perms;
@@ -63,8 +67,9 @@
 set_prop(shell, dumpstate_prop)
 set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
 userdebug_or_eng(`set_prop(shell, log_prop)')
-userdebug_or_eng(`set_prop(shell, wifi_log_prop)')
 
 # systrace support - allow atrace to run
 allow shell debugfs_tracing:dir r_dir_perms;

system_app.te

diff --git a/system_app.te b/system_app.te
index b3f4b30..2d51c5a 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,7 +31,7 @@
 set_prop(system_app, logd_prop)
 set_prop(system_app, net_radio_prop)
 set_prop(system_app, system_radio_prop)
-set_prop(system_app, log_prop)
+set_prop(system_app, log_tag_prop)
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;