Restrict system server from reading statsd data
Bug: 267367423
Test: m -j
Change-Id: I0628142c2380cf568643f864ae211fbf5380550c
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 97a1c91..1cb07db 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -22,6 +22,7 @@
permissive_mte_prop
prng_seeder
servicemanager_prop
+ stats_config_data_file
system_net_netd_service
timezone_metadata_prop
tuner_config_prop
diff --git a/private/file_contexts b/private/file_contexts
index 951c9b5..5c29795 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -642,7 +642,7 @@
/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_config_data_file:s0
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index aedebaf..7a91557 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -221,9 +221,9 @@
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
+# Delete /data/misc/stats-service/ directories.
+allow system_server stats_config_data_file:dir { open read remove_name search write };
+allow system_server stats_config_data_file:file unlink;
# Read metric file & upload to statsd
allow system_server odsign_data_file:dir search;