From a5d07925080f59073b03d24d3997aecd6d4bbf2c Mon Sep 17 00:00:00 2001
From: David Sehr <sehr@google.com>
Date: Fri, 27 May 2016 12:41:35 -0700
Subject: [PATCH] SELinux policy for /data/misc/profman

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
---
 adbd.te       | 4 ++++
 file.te       | 2 ++
 file_contexts | 1 +
 installd.te   | 3 +++
 profman.te    | 2 ++
 shell.te      | 4 ++++
 6 files changed, 16 insertions(+)

diff --git a/adbd.te b/adbd.te
index b44cf0dd7..9dc41fd94 100644
--- a/adbd.te
+++ b/adbd.te
@@ -34,6 +34,10 @@ allow adbd devpts:chr_file rw_file_perms;
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
 
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
 # adb push/pull sdcard.
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
diff --git a/file.te b/file.te
index ce9eff9f8..d2894ffd9 100644
--- a/file.te
+++ b/file.te
@@ -94,6 +94,8 @@ type ota_data_file, file_type, data_file_type;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 062b92937..0192ea3cd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -302,6 +302,7 @@
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 
 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/installd.te b/installd.te
index 0e640419f..365722b3f 100644
--- a/installd.te
+++ b/installd.te
@@ -119,6 +119,9 @@ allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
 
 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;
diff --git a/profman.te b/profman.te
index 92a23e22f..989706962 100644
--- a/profman.te
+++ b/profman.te
@@ -4,6 +4,8 @@ type profman_exec, exec_type, file_type;
 
 allow profman user_profile_data_file:file { getattr read write lock };
 
+allow profman profman_dump_data_file:file { write };
+
 allow profman installd:fd use;
 
 neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/shell.te b/shell.te
index d8c6dd49b..ec8d743a4 100644
--- a/shell.te
+++ b/shell.te
@@ -34,6 +34,10 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:file { getattr unlink };
+
 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
   allow shell nativetest_data_file:dir r_dir_perms;
-- 
GitLab