DO NOT MERGE: Allow shell debugfs read access
Developers should be able to use systrace with user builds.
This requires read access to /sys/kernel/debug/tracing/trace,
otherwise the following error occurs:
$ atrace
capturing trace... done
TRACE:
error opening /sys/kernel/debug/tracing/trace: Permission denied (13)
with the following SELinux denial:
<4>[ 79.830542] type=1400 audit(11940551.039:8): avc: denied { read } for pid=1156 comm="atrace" name="trace" dev="debugfs" ino=3024 scontext=u:r:shell:s0 tcontext=u:object_r:debugfs:s0 tclass=file
At least on the kernel I've tested this on, debugfs doesn't support
setting SELinux file labels. Grant read access to all of debugfs to
work around this limitation.
Bug: 13904660
Change-Id: Ic494bfccafc8f6887c8a4c8278b91245459aea41
This commit is contained in:
Nick Kralevich
parent
b55ebfb076
commit
60a89a7e75
1 changed files with 7 additions and 0 deletions
|
|
@ -39,3 +39,10 @@ allow shelldomain app_data_file:dir search;
|
|||
# ps and ps -Z output for app processes.
|
||||
r_dir_file(shelldomain, appdomain)
|
||||
allow shelldomain appdomain:process getattr;
|
||||
|
||||
# systrace support - allow atrace to run
|
||||
# debugfs doesn't support labeling individual files, so we have
|
||||
# to grant read access to all of /sys/kernel/debug.
|
||||
# Directory read access and file write access is already granted
|
||||
# in domain.te.
|
||||
allow shelldomain debugfs:file r_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue