From 31b11d8ef894f60d1d63de6c5fc9d75f59d50bcc Mon Sep 17 00:00:00 2001
From: yro <yro@google.com>
Date: Tue, 9 Jan 2018 11:27:36 -0800
Subject: [PATCH] Update priv_app selinux policy to allow gmscore to be able to
 communicate with statsd

Test: manual testing conducted
Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e
---
 private/priv_app.te | 12 ++++++++----
 private/statsd.te   |  1 +
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/private/priv_app.te b/private/priv_app.te
index 9f8ef7946..ea1ce5b16 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -21,22 +21,23 @@ allow priv_app self:process ptrace;
 # to their sandbox directory and then dlopen().
 allow priv_app app_data_file:file execute;
 
+allow priv_app app_api_service:service_manager find;
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediacodec_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediadrmserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app network_watchlist_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app oem_lock_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app radio_service:service_manager find;
 allow priv_app recovery_service:service_manager find;
+allow priv_app stats_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
 
 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
@@ -95,6 +96,9 @@ allow priv_app update_engine_service:service_manager find;
 binder_call(priv_app, storaged)
 allow priv_app storaged_service:service_manager find;
 
+# Allow GMS core to communicate with statsd.
+binder_call(priv_app, statsd)
+
 # Allow Phone to read/write cached ringtones (opened by system).
 allow priv_app ringtone_file:file { getattr read write };
 
diff --git a/private/statsd.te b/private/statsd.te
index 617021af7..9d78ebb40 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -55,6 +55,7 @@ binder_call(statsd, stats)
 neverallow {
   domain
   -dumpstate
+  -priv_app
   -shell
   -stats
   -statsd
-- 
GitLab