platform_system_sepolicy/private/shell.te

30 lines
804 B
Text
Raw Normal View History

typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
tracefs: avoid overly generic regexes On boot, Android runs restorecon on a number of virtual directories, such as /sys and /sys/kernel/debug, to ensure that the SELinux labels are correct. To avoid causing excessive boot time delays, the restorecon code aggressively prunes directories, to avoid recursing down directory trees which will never have a matching SELinux label. See: * https://android-review.googlesource.com/93401 * https://android-review.googlesource.com/109103 The key to this optimization is avoiding unnecessarily broad regular expressions in file_contexts. If an overly broad regex exists, the tree pruning code is ineffective, and the restorecon ends up visiting lots of unnecessary directories. The directory /sys/kernel/debug/tracing contains approximately 4500 files normally, and on debuggable builds, this number can jump to over 9000 files when the processing from wifi-events.rc occurs. For comparison, the entire /sys/kernel/debug tree (excluding /sys/kernel/debug/tracing) only contains approximately 8000 files. The regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching a significant number of files, which impacts boot performance. Instead of using an overly broad regex, refine the regex so only the files needed have an entry in file_contexts. This list of files is essentially a duplicate of the entries in frameworks/native/cmds/atrace/atrace.rc . This change reduces the restorecon_recursive call for /sys/kernel/debug from approximately 260ms to 40ms, a boot time reduction of approximately 220ms. Bug: 35248779 Test: device boots, no SELinux denials, faster boot. Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
2017-02-12 07:01:58 +01:00
allow shell debugfs_tracing:file r_file_perms;
allow shell tracing_shell_writable:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
userdebug_or_eng(`
allow shell tracing_shell_writable_debug:file rw_file_perms;
')
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)