SELinux policy for /data/misc/profman

Bug: 28748264 Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

SELinux policy for /data/misc/profman
a5d07925 · David Sehr · 0e1153ec · a5d07925 · a5d07925 · a5d07925
Commit a5d07925 authored 8 years ago by David Sehr
--- a/adbd.te
+++ b/adbd.te
@@ -34,6 +34,10 @@ allow adbd devpts:chr_file rw_file_perms;
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;

+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
 # adb push/pull sdcard.
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink

--- a/file.te
+++ b/file.te
@@ -94,6 +94,8 @@ type ota_data_file, file_type, data_file_type;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

--- a/file_contexts
+++ b/file_contexts
@@ -302,6 +302,7 @@
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0

 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0

--- a/installd.te
+++ b/installd.te
@@ -119,6 +119,9 @@ allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };

 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;

--- a/profman.te
+++ b/profman.te
@@ -4,6 +4,8 @@ type profman_exec, exec_type, file_type;

 allow profman user_profile_data_file:file { getattr read write lock };

+allow profman profman_dump_data_file:file { write };
+
 allow profman installd:fd use;

 neverallow profman app_data_file:notdevfile_class_set open;
--- a/shell.te
+++ b/shell.te
@@ -34,6 +34,10 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;

+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:file { getattr unlink };
+
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
  allow shell nativetest_data_file:dir r_dir_perms;