From 44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 7 Dec 2015 17:02:31 -0800
Subject: [PATCH] Add initial debugfs labeling support and label
 /sys/kernel/debug/tracing/trace_marker

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
---
 attributes           | 3 +++
 domain.te            | 6 ++++++
 domain_deprecated.te | 5 +++++
 file.te              | 2 ++
 file_contexts        | 5 +++++
 init.te              | 4 ++--
 shell.te             | 5 +++--
 7 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/attributes b/attributes
index 56655c11b..e9f51ee29 100644
--- a/attributes
+++ b/attributes
@@ -37,6 +37,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;
 
+# All types use for debugfs files.
+attribute debugfs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;
 
diff --git a/domain.te b/domain.te
index 02b884f15..2e38e92b2 100644
--- a/domain.te
+++ b/domain.te
@@ -110,6 +110,12 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 8d69a7fc0..5fbeb60cb 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -71,6 +71,11 @@ allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
 # debugfs access
 allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow domain_deprecated debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.
diff --git a/file.te b/file.te
index 9251741e5..bab302b55 100644
--- a/file.te
+++ b/file.te
@@ -40,6 +40,7 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
@@ -198,6 +199,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index 152dfb4ae..075154c4b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -326,6 +326,11 @@
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
 
+#############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/init.te b/init.te
index d07c5a7b6..464f088df 100644
--- a/init.te
+++ b/init.te
@@ -103,8 +103,8 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
 
diff --git a/shell.te b/shell.te
index 06d08a86e..cc2783cd7 100644
--- a/shell.te
+++ b/shell.te
@@ -69,12 +69,13 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
 # Directory read access and file write access is already granted
 # in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
 allow shell atrace_exec:file rx_file_perms;
 
 userdebug_or_eng(`