From 687d5e46ce81608b308ff0ae4ba9edeb878be8aa Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Fri, 4 May 2018 17:44:33 -0700
Subject: [PATCH] Allow system server to write profile snapshots in
/data/misc/profman
The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.
The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.
Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
---
prebuilts/api/28.0/private/system_server.te | 5 +++++
prebuilts/api/28.0/public/shell.te | 4 ++--
private/system_server.te | 5 +++++
public/shell.te | 4 ++--
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 7e2f26654..b037fe4a6 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
index 2c6ce4430..307e10342 100644
--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
diff --git a/private/system_server.te b/private/system_server.te
index 7e2f26654..b037fe4a6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index 2c6ce4430..307e10342 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
--
GitLab