tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes from topic "user-build-traceur"

Browse source 
am: 0fe4586bb1

Change-Id: Ic94be9aec1a83109ba08540fca9e0f71de5037cf
This commit is contained in:
Carmen Jackson 2018-02-05 20:41:29 +00:00 committed by android-build-merger
commit 5f15d4edc7
9 changed files with 77 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/atrace.te
View file

@ -14,6 +14,7 @@ userdebug_or_eng(`
# Allow atrace to access tracefs. # Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms; allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms; allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms; allow atrace debugfs_tracing_debug:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr; allow atrace debugfs_trace_marker:file getattr;

7
private/domain.te
View file

@ -17,6 +17,13 @@ neverallow {
# Limit ability to generate hardware unique device ID attestations to priv_apps # Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id; neverallow { domain -priv_app } *:keystore_key gen_unique_id;
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
# Core domains are not permitted to use kernel interfaces which are not # Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled. # explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain. # TODO(b/65643247): Apply these neverallow rules to all coredomain.

1
private/dumpstate.te
View file

@ -14,6 +14,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
# systrace support - allow atrace to run # systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms; allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms; allow dumpstate debugfs_tracing:file rw_file_perms;
allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
allow dumpstate debugfs_trace_marker:file getattr; allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms; allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms; allow dumpstate storaged_exec:file rx_file_perms;

62
private/genfs_contexts
View file

@ -123,7 +123,12 @@ genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0 genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0 genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0 genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@ -148,7 +153,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
@ -166,12 +170,62 @@ genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_
genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0 genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0 genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0 genfscon debugfs / u:object_r:debugfs:s0
genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0 genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0 genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0 genfscon sdcardfs / u:object_r:sdcardfs:s0

7
private/shell.te
View file

@ -4,18 +4,19 @@ typeattribute shell coredomain;
allow shell uhid_device:chr_file rw_file_perms; allow shell uhid_device:chr_file rw_file_perms;
# systrace support - allow atrace to run # systrace support - allow atrace to run
allow shell debugfs_tracing_debug:dir r_dir_perms;
allow shell debugfs_tracing:dir r_dir_perms; allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms; allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr; allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms; allow shell atrace_exec:file rx_file_perms;
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
userdebug_or_eng(` userdebug_or_eng(`
allow shell debugfs_tracing_debug:file rw_file_perms; allow shell debugfs_tracing_debug:file rw_file_perms;
') ')
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
# Run app_process. # Run app_process.
# XXX Transition into its own domain? # XXX Transition into its own domain?
app_domain(shell) app_domain(shell)

3
private/traceur_app.te
View file

@ -2,6 +2,7 @@ typeattribute traceur_app coredomain;
app_domain(traceur_app); app_domain(traceur_app);
allow traceur_app debugfs_tracing:file rw_file_perms; allow traceur_app debugfs_tracing:file rw_file_perms;
allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
userdebug_or_eng(` userdebug_or_eng(`
allow traceur_app debugfs_tracing_debug:file rw_file_perms; allow traceur_app debugfs_tracing_debug:file rw_file_perms;
@ -10,3 +11,5 @@ userdebug_or_eng(`
allow traceur_app trace_data_file:file create_file_perms; allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir { add_name getattr search write }; allow traceur_app trace_data_file:dir { add_name getattr search write };
allow traceur_app atrace_exec:file rx_file_perms; allow traceur_app atrace_exec:file rx_file_perms;
dontaudit traceur_app debugfs_tracing_debug:file audit_access;

1
public/domain.te
View file

@ -241,6 +241,7 @@ allow domain cgroup:file w_file_perms;
# The reason behind this is documented in b/6513400 # The reason behind this is documented in b/6513400
allow domain debugfs:dir search; allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search; allow domain debugfs_tracing:dir search;
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms; allow domain debugfs_trace_marker:file w_file_perms;
# Filesystem access. # Filesystem access.

2
public/file.te
View file

@ -379,7 +379,7 @@ allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate; allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate; allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate; allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate; allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate; allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate; allow file_type rootfs:filesystem associate;

2
public/init.te
View file

@ -199,7 +199,7 @@ allow init {
allow init cache_file:lnk_file r_file_perms; allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto; allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom }; allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr }; allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms; allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create; allow init dev_type:lnk_file create;