[SfStats] sepolicy for SfStats' global puller
Bug: 119885568
Bug: 136597024
Test: adb shell cmd stats pull-source 10062
Test: statsd_testdrive 10062
Change-Id: Ide8ecd2683b3ea29a3207f89d35d7067490dabb1
diff --git a/private/stats.te b/private/stats.te
index ea9530c..26508f1 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-shell
-stats
-statsd
+ -surfaceflinger
-system_app
-system_server
-traceur_app
diff --git a/private/statsd.te b/private/statsd.te
index a55c42d..1e56b67 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,3 +19,6 @@
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e696fe5..5d78a18 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,6 +114,10 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+binder_call(surfaceflinger, statsd);
+
###
### Neverallow rules
###