Restrict system server from reading statsd data
Bug: 267367423
Test: m -j
Change-Id: I0628142c2380cf568643f864ae211fbf5380550c
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 97a1c91..1cb07db 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -22,6 +22,7 @@
permissive_mte_prop
prng_seeder
servicemanager_prop
+ stats_config_data_file
system_net_netd_service
timezone_metadata_prop
tuner_config_prop
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..5c29795 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -642,7 +642,7 @@
/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_config_data_file:s0
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index aedebaf..7a91557 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -221,9 +221,9 @@
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
+# Delete /data/misc/stats-service/ directories.
+allow system_server stats_config_data_file:dir { open read remove_name search write };
+allow system_server stats_config_data_file:file unlink;
# Read metric file & upload to statsd
allow system_server odsign_data_file:dir search;
diff --git a/public/file.te b/public/file.te
index eb55210..c63765d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -445,6 +445,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
+type stats_config_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/statsd.te b/public/statsd.te
index 1a09586..f2e2eee 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -19,9 +19,16 @@
allow statsd su:fifo_file read;
')
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+# Create, read, and write into
+# /data/misc/stats-active-metric
+# /data/misc/stats-data
+# /data/misc/stats-metadata
+# /data/misc/stats-service
+# /data/misc/train-info
allow statsd stats_data_file:dir create_dir_perms;
allow statsd stats_data_file:file create_file_perms;
+allow statsd stats_config_data_file:dir create_dir_perms;
+allow statsd stats_config_data_file:file create_file_perms;
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
@@ -79,7 +86,10 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
+
# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;