From 0c8ad1dc94a32b46d089855f47ac17cc7e073887 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 6 Dec 2016 16:49:25 -0800
Subject: [PATCH] Fix build.

Make all platform tyeps public to start to prevent build breakage in any devices
that may have device-specific policy using these types.  Future changes will
need to be carefully made to ensure we properly limit types for use by
non-platform policy.

Test: Builds
Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
---
 private/atrace.te    | 23 +-----------------
 private/perfprofd.te | 58 +-------------------------------------------
 public/atrace.te     | 23 ++++++++++++++++++
 public/perfprofd.te  | 57 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 82 insertions(+), 79 deletions(-)
 create mode 100644 public/atrace.te
 create mode 100644 public/perfprofd.te

diff --git a/private/atrace.te b/private/atrace.te
index 31cf9e766..e974b6966 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,24 +1,3 @@
-# Domain for atrace process spawned by boottrace service.
-type atrace_exec, exec_type, file_type;
-
 userdebug_or_eng(`
-
-  type atrace, domain, domain_deprecated;
   init_daemon_domain(atrace)
-
-  # boottrace services uses /data/misc/boottrace/categories
-  allow atrace boottrace_data_file:dir search;
-  allow atrace boottrace_data_file:file r_file_perms;
-
-  # atrace reads the files in /sys/kernel/debug/tracing/
-  allow atrace debugfs_tracing:file r_file_perms;
-
-  # atrace sets debug.atrace.* properties
-  set_prop(atrace, debug_prop)
-
-  # atrace pokes all the binder-enabled processes at startup.
-  binder_use(atrace)
-  allow atrace healthd:binder call;
-  allow atrace surfaceflinger:binder call;
-
-')
+')
\ No newline at end of file
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 0122c5590..1d2d084bd 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,59 +1,3 @@
-# perfprofd - perf profile collection daemon
-type perfprofd_exec, exec_type, file_type;
-
 userdebug_or_eng(`
-
-  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
-
   init_daemon_domain(perfprofd)
-
-  # perfprofd needs to control CPU hot-plug in order to avoid kernel
-  # perfevents problems in cases where CPU goes on/off during measurement;
-  # this means read access to /sys/devices/system/cpu/possible
-  # and read/write access to /sys/devices/system/cpu/cpu*/online
-  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
-  # perfprofd checks for the existence of and then invokes simpleperf;
-  # simpleperf retains perfprofd domain after exec
-  allow perfprofd system_file:file rx_file_perms;
-
-  # perfprofd reads a config file from /data/data/com.google.android.gms/files
-  allow perfprofd app_data_file:file r_file_perms;
-  allow perfprofd app_data_file:dir search;
-  allow perfprofd self:capability { dac_override };
-
-  # perfprofd opens a file for writing in /data/misc/perfprofd
-  allow perfprofd perfprofd_data_file:file create_file_perms;
-  allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
-  # perfprofd uses the system log
-  read_logd(perfprofd);
-  write_logd(perfprofd);
-
-  # perfprofd inspects /sys/power/wake_unlock
-  wakelock_use(perfprofd);
-
-  # simpleperf uses ioctl() to turn on kernel perf events measurements
-  allow perfprofd self:capability sys_admin;
-
-  # simpleperf needs to examine /proc to collect task/thread info
-  r_dir_file(perfprofd, domain)
-
-  # simpleperf needs to access /proc/<pid>/exec
-  allow perfprofd self:capability { sys_resource sys_ptrace };
-  neverallow perfprofd domain:process ptrace;
-
-  # simpleperf needs open/read any file that turns up in a profile
-  # to see whether it has a build ID
-  allow perfprofd exec_type:file r_file_perms;
-
-  # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs_tracing:file r_file_perms;
-
-  # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file rx_file_perms;
-
-  # needed for simpleperf on some kernels
-  allow perfprofd self:capability ipc_lock;
-
-')
+')
\ No newline at end of file
diff --git a/public/atrace.te b/public/atrace.te
new file mode 100644
index 000000000..b4ae753f7
--- /dev/null
+++ b/public/atrace.te
@@ -0,0 +1,23 @@
+# Domain for atrace process spawned by boottrace service.
+type atrace_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+  type atrace, domain, domain_deprecated;
+
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+
+  # atrace reads the files in /sys/kernel/debug/tracing/
+  allow atrace debugfs_tracing:file r_file_perms;
+
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
+
+')
diff --git a/public/perfprofd.te b/public/perfprofd.te
new file mode 100644
index 000000000..eed7e5848
--- /dev/null
+++ b/public/perfprofd.te
@@ -0,0 +1,57 @@
+# perfprofd - perf profile collection daemon
+type perfprofd_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+
+  # perfprofd needs to control CPU hot-plug in order to avoid kernel
+  # perfevents problems in cases where CPU goes on/off during measurement;
+  # this means read access to /sys/devices/system/cpu/possible
+  # and read/write access to /sys/devices/system/cpu/cpu*/online
+  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+
+  # perfprofd checks for the existence of and then invokes simpleperf;
+  # simpleperf retains perfprofd domain after exec
+  allow perfprofd system_file:file rx_file_perms;
+
+  # perfprofd reads a config file from /data/data/com.google.android.gms/files
+  allow perfprofd app_data_file:file r_file_perms;
+  allow perfprofd app_data_file:dir search;
+  allow perfprofd self:capability { dac_override };
+
+  # perfprofd opens a file for writing in /data/misc/perfprofd
+  allow perfprofd perfprofd_data_file:file create_file_perms;
+  allow perfprofd perfprofd_data_file:dir rw_dir_perms;
+
+  # perfprofd uses the system log
+  read_logd(perfprofd);
+  write_logd(perfprofd);
+
+  # perfprofd inspects /sys/power/wake_unlock
+  wakelock_use(perfprofd);
+
+  # simpleperf uses ioctl() to turn on kernel perf events measurements
+  allow perfprofd self:capability sys_admin;
+
+  # simpleperf needs to examine /proc to collect task/thread info
+  r_dir_file(perfprofd, domain)
+
+  # simpleperf needs to access /proc/<pid>/exec
+  allow perfprofd self:capability { sys_resource sys_ptrace };
+  neverallow perfprofd domain:process ptrace;
+
+  # simpleperf needs open/read any file that turns up in a profile
+  # to see whether it has a build ID
+  allow perfprofd exec_type:file r_file_perms;
+
+  # simpleperf examines debugfs on startup to collect tracepoint event types
+  allow perfprofd debugfs_tracing:file r_file_perms;
+
+  # simpleperf is going to execute "sleep"
+  allow perfprofd toolbox_exec:file rx_file_perms;
+
+  # needed for simpleperf on some kernels
+  allow perfprofd self:capability ipc_lock;
+
+')
-- 
GitLab