2017-03-23 22:27:32 +01:00
|
|
|
typeattribute shell coredomain;
|
|
|
|
|
2017-05-11 04:37:06 +02:00
|
|
|
# allow shell input injection
|
|
|
|
allow shell uhid_device:chr_file rw_file_perms;
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# systrace support - allow atrace to run
|
|
|
|
allow shell debugfs_tracing:dir r_dir_perms;
|
tracefs: avoid overly generic regexes
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
2017-02-12 07:01:58 +01:00
|
|
|
allow shell debugfs_tracing:file r_file_perms;
|
|
|
|
allow shell tracing_shell_writable:file rw_file_perms;
|
2016-10-12 23:58:09 +02:00
|
|
|
allow shell debugfs_trace_marker:file getattr;
|
|
|
|
allow shell atrace_exec:file rx_file_perms;
|
|
|
|
|
2017-05-08 23:38:45 +02:00
|
|
|
# read config.gz for CTS purposes
|
|
|
|
allow shell config_gz:file r_file_perms;
|
|
|
|
|
2017-04-14 21:12:50 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell tracing_shell_writable_debug:file rw_file_perms;
|
|
|
|
')
|
|
|
|
|
2016-12-08 20:23:34 +01:00
|
|
|
# Run app_process.
|
|
|
|
# XXX Transition into its own domain?
|
|
|
|
app_domain(shell)
|
2017-03-23 20:28:20 +01:00
|
|
|
|
|
|
|
# allow shell to call dumpsys storaged
|
|
|
|
binder_call(shell, storaged)
|
2017-05-08 18:51:59 +02:00
|
|
|
|
|
|
|
# Perform SELinux access checks, needed for CTS
|
|
|
|
selinux_check_access(shell)
|
|
|
|
selinux_check_context(shell)
|