Fix build.

Make all platform tyeps public to start to prevent build breakage in any devices that may have device-specific policy using these types. Future changes will need to be carefully made to ensure we properly limit types for use by non-platform policy. Test: Builds Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6

Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices that may have device-specific policy using these types. Future changes will need to be carefully made to ensure we properly limit types for use by non-platform policy. Test: Builds Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
0c8ad1dc · dcashman · e082cdb5 · 0c8ad1dc · 0c8ad1dc · 0c8ad1dc
Commit 0c8ad1dc authored 8 years ago by dcashman
--- a/private/atrace.te
+++ b/private/atrace.te
-# Domain for atrace process spawned by boottrace service.
-type atrace_exec, exec_type, file_type;
 userdebug_or_eng(`
-  type atrace, domain, domain_deprecated;
  init_daemon_domain(atrace)
+')
-  # boottrace services uses /data/misc/boottrace/categories
\ No newline at end of file
-  allow atrace boottrace_data_file:dir search;
-  allow atrace boottrace_data_file:file r_file_perms;
-  # atrace reads the files in /sys/kernel/debug/tracing/
-  allow atrace debugfs_tracing:file r_file_perms;
-  # atrace sets debug.atrace.* properties
-  set_prop(atrace, debug_prop)
-  # atrace pokes all the binder-enabled processes at startup.
-  binder_use(atrace)
-  allow atrace healthd:binder call;
-  allow atrace surfaceflinger:binder call;
-')
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
-# perfprofd - perf profile collection daemon
-type perfprofd_exec, exec_type, file_type;
 userdebug_or_eng(`
-  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
  init_daemon_domain(perfprofd)
+')
-  # perfprofd needs to control CPU hot-plug in order to avoid kernel
\ No newline at end of file
-  # perfevents problems in cases where CPU goes on/off during measurement;
-  # this means read access to /sys/devices/system/cpu/possible
-  # and read/write access to /sys/devices/system/cpu/cpu*/online
-  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-  # perfprofd checks for the existence of and then invokes simpleperf;
-  # simpleperf retains perfprofd domain after exec
-  allow perfprofd system_file:file rx_file_perms;
-  # perfprofd reads a config file from /data/data/com.google.android.gms/files
-  allow perfprofd app_data_file:file r_file_perms;
-  allow perfprofd app_data_file:dir search;
-  allow perfprofd self:capability { dac_override };
-  # perfprofd opens a file for writing in /data/misc/perfprofd
-  allow perfprofd perfprofd_data_file:file create_file_perms;
-  allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-  # perfprofd uses the system log
-  read_logd(perfprofd);
-  write_logd(perfprofd);
-  # perfprofd inspects /sys/power/wake_unlock
-  wakelock_use(perfprofd);
-  # simpleperf uses ioctl() to turn on kernel perf events measurements
-  allow perfprofd self:capability sys_admin;
-  # simpleperf needs to examine /proc to collect task/thread info
-  r_dir_file(perfprofd, domain)
-  # simpleperf needs to access /proc/<pid>/exec
-  allow perfprofd self:capability { sys_resource sys_ptrace };
-  neverallow perfprofd domain:process ptrace;
-  # simpleperf needs open/read any file that turns up in a profile
-  # to see whether it has a build ID
-  allow perfprofd exec_type:file r_file_perms;
-  # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs_tracing:file r_file_perms;
-  # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file rx_file_perms;
-  # needed for simpleperf on some kernels
-  allow perfprofd self:capability ipc_lock;
-')
--- a/public/atrace.te
+++ b/public/atrace.te
+# Domain for atrace process spawned by boottrace service.
+type atrace_exec, exec_type, file_type;
+userdebug_or_eng(`
+  type atrace, domain, domain_deprecated;
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+  # atrace reads the files in /sys/kernel/debug/tracing/
+  allow atrace debugfs_tracing:file r_file_perms;
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
+')
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
+# perfprofd - perf profile collection daemon
+type perfprofd_exec, exec_type, file_type;
+userdebug_or_eng(`
+  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+  # perfprofd needs to control CPU hot-plug in order to avoid kernel
+  # perfevents problems in cases where CPU goes on/off during measurement;
+  # this means read access to /sys/devices/system/cpu/possible
+  # and read/write access to /sys/devices/system/cpu/cpu*/online
+  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+  # perfprofd checks for the existence of and then invokes simpleperf;
+  # simpleperf retains perfprofd domain after exec
+  allow perfprofd system_file:file rx_file_perms;
+  # perfprofd reads a config file from /data/data/com.google.android.gms/files
+  allow perfprofd app_data_file:file r_file_perms;
+  allow perfprofd app_data_file:dir search;
+  allow perfprofd self:capability { dac_override };
+  # perfprofd opens a file for writing in /data/misc/perfprofd
+  allow perfprofd perfprofd_data_file:file create_file_perms;
+  allow perfprofd perfprofd_data_file:dir rw_dir_perms;
+  # perfprofd uses the system log
+  read_logd(perfprofd);
+  write_logd(perfprofd);
+  # perfprofd inspects /sys/power/wake_unlock
+  wakelock_use(perfprofd);
+  # simpleperf uses ioctl() to turn on kernel perf events measurements
+  allow perfprofd self:capability sys_admin;
+  # simpleperf needs to examine /proc to collect task/thread info
+  r_dir_file(perfprofd, domain)
+  # simpleperf needs to access /proc/<pid>/exec
+  allow perfprofd self:capability { sys_resource sys_ptrace };
+  neverallow perfprofd domain:process ptrace;
+  # simpleperf needs open/read any file that turns up in a profile
+  # to see whether it has a build ID
+  allow perfprofd exec_type:file r_file_perms;
+  # simpleperf examines debugfs on startup to collect tracepoint event types
+  allow perfprofd debugfs_tracing:file r_file_perms;
+  # simpleperf is going to execute "sleep"
+  allow perfprofd toolbox_exec:file rx_file_perms;
+  # needed for simpleperf on some kernels
+  allow perfprofd self:capability ipc_lock;
+')