bootchart: add policy rules for bootchart

allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
cc38e6d1 · Yongqin Liu · 7d1b6c87 · cc38e6d1 · cc38e6d1 · cc38e6d1
Commit cc38e6d1 authored 10 years ago by Yongqin Liu
--- a/adbd.te
+++ b/adbd.te
@@ -80,3 +80,5 @@ allow adbd system_file:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
--- a/file.te
+++ b/file.te
@@ -79,6 +79,8 @@ type shell_data_file, file_type, data_file_type, mlstrustedobject;
 type gps_data_file, file_type, data_file_type;
 # /data/property
 type property_data_file, file_type, data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;

--- a/file_contexts
+++ b/file_contexts
@@ -227,6 +227,9 @@
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+# Bootchart data
+/data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0

--- a/init.te
+++ b/init.te
 # init switches to init domain (via init.rc).
-type init, domain;
+type init, domain, mlstrustedsubject;
 permissive_or_unconfined(init)
 tmpfs_domain(init)
@@ -164,6 +164,11 @@ allow init shell_data_file:file { getattr };
 # Set UID and GID for services.
 allow init self:capability { setuid setgid };
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.

--- a/shell.te
+++ b/shell.te
@@ -64,3 +64,9 @@ allow shell service_manager_type:service_manager find;
 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;