Allow zygote to write to statsd and refactor

We plan on migrating MetricsLogger to write to statsd socket. So we need to allow zygote, which writes to logd using MetricsLogger, to also be able to statsd. We also re-locate some sepolicies to write to statsd socket in their respective policy definitions. Bug: 110537511 Test: no failure/violations observed Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc

Allow zygote to write to statsd and refactor
We plan on migrating MetricsLogger to write to statsd socket. So we need to allow zygote, which writes to logd using MetricsLogger, to also be able to statsd. We also re-locate some sepolicies to write to statsd socket in their respective policy definitions. Bug: 110537511 Test: no failure/violations observed Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc
98de322a · Howard Ro · dcd5b544 · 98de322a · 98de322a · 98de322a
Commit 98de322a authored 6 years ago by Howard Ro
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -167,6 +167,9 @@ unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, racoon, racoon)
 unix_socket_connect(system_server, uncrypt, uncrypt)

+# Allow system_server to write to statsd.
+unix_socket_send(system_server, statsdw, statsd)
+
 # Communicate over a socket created by surfaceflinger.
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };


--- a/private/zygote.te
+++ b/private/zygote.te
@@ -96,6 +96,9 @@ allow zygote sdcardfs:dir { mounton };
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;

+# Allow zygote to write to statsd.
+unix_socket_send(zygote, statsdw, statsd)
+
 # Root fs.
 r_dir_file(zygote, rootfs)


--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -26,6 +26,9 @@ allow bootstat kernel:system syslog_read;
 # Allow access to reading the logs to read aspects of system health
 read_logd(bootstat)

+# Allow bootstat write to statsd.
+unix_socket_send(bootstat, statsdw, statsd)
+
 # ToDo: end

 neverallow {

--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -49,6 +49,9 @@ allow lmkd proc_sysrq:file rw_file_perms;
 # Read /proc/meminfo
 allow lmkd proc_meminfo:file r_file_perms;

+# Allow lmkd to write to statsd.
+unix_socket_send(lmkd, statsdw, statsd)
+
 ### neverallow rules

 # never honor LD_PRELOAD

--- a/public/statsd.te
+++ b/public/statsd.te
@@ -67,10 +67,7 @@ allow statsd adbd:fd use;
 allow statsd adbd:unix_stream_socket { getattr read write };
 allow statsd shell:fifo_file { getattr read };

-unix_socket_send(bootstat, statsdw, statsd)
-unix_socket_send(lmkd, statsdw, statsd)
 unix_socket_send(statsd, statsdw, statsd)
-unix_socket_send(system_server, statsdw, statsd)

 ###
 ### neverallow rules