Statsd allow shell in selinux policy

CTS tests need to be able to call, from hostside: adb shell cmd stats dump-report (and others) On a user build, this will fail because of an selinux policy violation from shell. This cl fixes this by granting shell permission. Similarly, Settings needs to communicate with statsd, so system_app-statsd binder calls are given permission. Bug: 72961153 Bug: 73255014 Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests Test: manual confirmation Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

Statsd allow shell in selinux policy
022ab0e7 · Bookatz · 7a567e3a · 022ab0e7 · 022ab0e7 · 022ab0e7
Commit 022ab0e7 authored 7 years ago by Bookatz
--- a/private/shell.te
+++ b/private/shell.te
@@ -45,6 +45,9 @@ domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
 # when exec()-d by statsd.
 domain_auto_trans(shell, perfetto_exec, perfetto)

+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
 # Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
 allow shell perfetto_traces_data_file:dir rw_dir_perms;
 allow shell perfetto_traces_data_file:file r_file_perms;
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -72,6 +72,11 @@ binder_call(statsd, stats)
 allow statsd proc_uid_cputime_showstat:file { getattr open read };
 hal_client_domain(statsd, hal_power)

+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { read write };
+
+
 ###
 ### neverallow rules
 ###

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,6 +58,9 @@ allow system_app anr_data_file:file create_file_perms;
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;

+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
 # Allow system apps to interact with incidentd
 binder_call(system_app, incidentd)