Allow system server to record its own profile

On userdebug builds we can now profile system server without disabling selinux. This is the final piece, and allows the system server to save its own profile. Test: manual, on a device with system server profiling enabled Bug: 73313191 (cherry picked from commit 71d8467b) Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f

Allow system server to record its own profile
On userdebug builds we can now profile system server without disabling selinux. This is the final piece, and allows the system server to save its own profile. Test: manual, on a device with system server profiling enabled Bug: 73313191 (cherry picked from commit 71d8467b) Change-Id: I93e7e01bfbd3146a8cfd26a1f6e88b640e9c4e0f
035fcc46 · Calin Juravle · 9e80bfc8 · 035fcc46 · 035fcc46
Commit 035fcc46 authored 6 years ago by Calin Juravle
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -770,9 +770,14 @@ allow system_server netd:bpf map_read;
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };

+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+  allow system_server user_profile_data_file:file create_file_perms;
+')
+
 userdebug_or_eng(`
  # Allow system server to notify mediaextractor of the plugin update.
  allow system_server mediaextractor_update_service:service_manager find;

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -772,9 +772,14 @@ allow system_server netd:bpf map_read;
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };

+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+  allow system_server user_profile_data_file:file create_file_perms;
+')
+
 userdebug_or_eng(`
  # Allow system server to notify mediaextractor of the plugin update.
  allow system_server mediaextractor_update_service:service_manager find;