commit fa67ec41267ef9f38b6a0b39cdafda244cdffb24
author David Sehr <sehr@google.com> Mon Nov 25 22:03:59 2019 +0000
committer David Sehr <sehr@google.com> Mon Nov 25 15:53:52 2019 -0800
tree 1e52eca6d1f4e1e680449d20d3cd6d63a6b8582e
parent 8f079fb0e2c094232c9354f24d7d28f46793a50b

Revert^2 "SELinux policy for system server JVMTI"

This reverts commit baa06ee2cd8b2f6c8bd0c2d873dc2888d6296353.

Reason for revert: Added missing property name in vendor_init.te.

Bug: none
Test: none (other than neverallow checking)
Change-Id: I9e93bf4ea6ca3a4634f8f4cbce2f13c5f410883b

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index bd950dd..a7a0af3 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -33,6 +33,7 @@
     art_apex_dir
     service_manager_service
     system_group_file
+    system_jvmti_agent_prop
     system_passwd_file
     timezonedetector_service
     userspace_reboot_prop

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 06c662e..d909dfc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -67,6 +67,7 @@
 persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0
 persist.sys.audit_safemode      u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent   u:object_r:system_jvmti_agent_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 5544279..603ea9c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -894,6 +894,8 @@
 userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
 ')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)
 
 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
@@ -1031,6 +1033,17 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# JVMTI agent settings are only readable from the system server.
+neverallow {
+  domain
+  -system_server
+  -dumpstate
+  -init
+  -vendor_init
+} {
+  system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
 # Read/Write /proc/pressure/memory
 allow system_server proc_pressure_mem:file rw_file_perms;