From cc38e6d1a4c39a0bdffdb51811f9d6b32fdaa7de Mon Sep 17 00:00:00 2001
From: Yongqin Liu <yongqin.liu@linaro.org>
Date: Fri, 5 Dec 2014 13:40:22 +0800
Subject: [PATCH] bootchart: add policy rules for bootchart

allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
---
 adbd.te       | 2 ++
 file.te       | 2 ++
 file_contexts | 3 +++
 init.te       | 7 ++++++-
 shell.te      | 6 ++++++
 5 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/adbd.te b/adbd.te
index f5cebd269..c80dba430 100644
--- a/adbd.te
+++ b/adbd.te
@@ -80,3 +80,5 @@ allow adbd system_file:file r_file_perms;
 allow adbd kernel:security read_policy;
 
 allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
diff --git a/file.te b/file.te
index ae1079c4f..a0173831e 100644
--- a/file.te
+++ b/file.te
@@ -79,6 +79,8 @@ type shell_data_file, file_type, data_file_type, mlstrustedobject;
 type gps_data_file, file_type, data_file_type;
 # /data/property
 type property_data_file, file_type, data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 04fa4c729..d51047686 100644
--- a/file_contexts
+++ b/file_contexts
@@ -227,6 +227,9 @@
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 
+# Bootchart data
+/data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
+
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0
 
diff --git a/init.te b/init.te
index 1283ec709..d81f5afb6 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,5 @@
 # init switches to init domain (via init.rc).
-type init, domain;
+type init, domain, mlstrustedsubject;
 permissive_or_unconfined(init)
 tmpfs_domain(init)
 
@@ -164,6 +164,11 @@ allow init shell_data_file:file { getattr };
 # Set UID and GID for services.
 allow init self:capability { setuid setgid };
 
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.
diff --git a/shell.te b/shell.te
index 6af371722..d31a496e1 100644
--- a/shell.te
+++ b/shell.te
@@ -64,3 +64,9 @@ allow shell service_manager_type:service_manager find;
 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
-- 
GitLab