summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4bdefb5)
raw | patch | inline | side by side (parent: 4bdefb5)
| author | yro <yro@google.com> | |
| Thu, 29 Mar 2018 18:07:13 +0000 (11:07 -0700) | ||
| committer | yro <yro@google.com> | |
| Fri, 30 Mar 2018 22:58:58 +0000 (15:58 -0700) |
Test: manually tested to prevent sepolicy violation
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
Change-Id: I9ebcc86464a9fc61a49d5c9be40f19f3523b6785
| private/statsd.te | patch | blob | history | |
| private/system_server.te | patch | blob | history |
diff --git a/private/statsd.te b/private/statsd.te
index dfec7a4825758a6149aa6c8bedb65af1b950c58c..fec10a4b69aa8d35f7085fb59657da9341d56add 100644 (file)
--- a/private/statsd.te
+++ b/private/statsd.te
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
index 99c5442c4ea6809bf3a934d910e30a35e9e6ee0c..0d9f72c1703ab50d1c0537c36fa7b4820477985a 100644 (file)
--- a/private/system_server.te
+++ b/private/system_server.te
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;