Snap for 4773106 from dfaf3915 to pi-release

Change-Id: I78306f8e27fa87e1dad261981bd9b31a63f06178

Snap for 4773106 from dfaf3915 to pi-release
a3fbe664 · android-build-team Robot · 2b993a0e · dfaf3915 · a3fbe664 · a3fbe664
Commit a3fbe664 authored May 10, 2018 by android-build-team Robot
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
  allow system_server user_profile_data_file:file create_file_perms;

--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
  allow system_server user_profile_data_file:file create_file_perms;

--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };
 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`