Allow system server to write profile snapshots in /data/misc/profman

The goal is to allow creating profile snapshots from the shell command in order to be able to write CTS tests. The system server will dump profiles for debuggable in /data/misc/profman from where they will be pulled and verified by CTS tests. Test: adb shell cmd package snapshot-profile com.android.vending Bug: 74081010 Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5

Allow system server to write profile snapshots in /data/misc/profman
687d5e46 · Calin Juravle · 7ea7f12d · 687d5e46 · 687d5e46 · 687d5e46
Commit 687d5e46 authored May 5, 2018 by Calin Juravle
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };

+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
  allow system_server user_profile_data_file:file create_file_perms;

--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };

 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };

 # Read/execute files in /data/nativetest
 userdebug_or_eng(`

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -775,6 +775,11 @@ allow system_server netd:bpf map_read;
 allow system_server user_profile_data_file:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };

+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
  allow system_server user_profile_data_file:file create_file_perms;

--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@ allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };

 # Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };

 # Read/execute files in /data/nativetest
 userdebug_or_eng(`