Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker am: 44826cb5e4
am: 7fe25900b4
* commit '7fe25900b4da42cf7a2ef51d2a6e5e707b4d3631':
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
This commit is contained in:
Nick Kralevich
android-build-merger
commit
713ad50b75
7 changed files with 26 additions and 4 deletions
|
|
@ -37,6 +37,9 @@ attribute data_file_type;
|
||||||
# All types use for sysfs files.
|
# All types use for sysfs files.
|
||||||
attribute sysfs_type;
|
attribute sysfs_type;
|
||||||
|
|
||||||
|
# All types use for debugfs files.
|
||||||
|
attribute debugfs_type;
|
||||||
|
|
||||||
# Attribute used for all sdcards
|
# Attribute used for all sdcards
|
||||||
attribute sdcard_type;
|
attribute sdcard_type;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -110,6 +110,12 @@ allow domain selinuxfs:file getattr;
|
||||||
allow domain sysfs:dir search;
|
allow domain sysfs:dir search;
|
||||||
allow domain selinuxfs:filesystem getattr;
|
allow domain selinuxfs:filesystem getattr;
|
||||||
|
|
||||||
|
# Almost all processes log tracing information to
|
||||||
|
# /sys/kernel/debug/tracing/trace_marker
|
||||||
|
# The reason behind this is documented in b/6513400
|
||||||
|
allow domain debugfs:dir search;
|
||||||
|
allow domain debugfs_trace_marker:file w_file_perms;
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
||||||
|
|
@ -71,6 +71,11 @@ allow domain_deprecated proc_cpuinfo:file r_file_perms;
|
||||||
|
|
||||||
# debugfs access
|
# debugfs access
|
||||||
allow domain_deprecated debugfs:dir r_dir_perms;
|
allow domain_deprecated debugfs:dir r_dir_perms;
|
||||||
|
# TODO: The following line can likely be deleted. The only reason
|
||||||
|
# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
|
||||||
|
# write access. This was in the days before labels could be assigned
|
||||||
|
# to individual files on debugfs
|
||||||
|
# (b/18935184, https://android-review.googlesource.com/122130)
|
||||||
allow domain_deprecated debugfs:file w_file_perms;
|
allow domain_deprecated debugfs:file w_file_perms;
|
||||||
|
|
||||||
# Get SELinux enforcing status.
|
# Get SELinux enforcing status.
|
||||||
|
|
|
||||||
2
file.te
2
file.te
|
|
@ -40,6 +40,7 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||||
typealias fuse alias sdcard_internal;
|
typealias fuse alias sdcard_internal;
|
||||||
typealias vfat alias sdcard_external;
|
typealias vfat alias sdcard_external;
|
||||||
type debugfs, fs_type, mlstrustedobject;
|
type debugfs, fs_type, mlstrustedobject;
|
||||||
|
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||||
type pstorefs, fs_type;
|
type pstorefs, fs_type;
|
||||||
type functionfs, fs_type;
|
type functionfs, fs_type;
|
||||||
type oemfs, fs_type, contextmount_type;
|
type oemfs, fs_type, contextmount_type;
|
||||||
|
|
@ -198,6 +199,7 @@ type property_contexts, file_type;
|
||||||
# Allow files to be created in their appropriate filesystems.
|
# Allow files to be created in their appropriate filesystems.
|
||||||
allow fs_type self:filesystem associate;
|
allow fs_type self:filesystem associate;
|
||||||
allow sysfs_type sysfs:filesystem associate;
|
allow sysfs_type sysfs:filesystem associate;
|
||||||
|
allow debugfs_type debugfs:filesystem associate;
|
||||||
allow file_type labeledfs:filesystem associate;
|
allow file_type labeledfs:filesystem associate;
|
||||||
allow file_type tmpfs:filesystem associate;
|
allow file_type tmpfs:filesystem associate;
|
||||||
allow file_type rootfs:filesystem associate;
|
allow file_type rootfs:filesystem associate;
|
||||||
|
|
|
||||||
|
|
@ -326,6 +326,11 @@
|
||||||
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
|
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
|
||||||
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
|
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# debugfs files
|
||||||
|
#
|
||||||
|
/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# asec containers
|
# asec containers
|
||||||
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
|
||||||
|
|
|
||||||
4
init.te
4
init.te
|
|
@ -103,8 +103,8 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
|
||||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
|
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||||
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
||||||
allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
|
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
|
||||||
allow init sysfs_type:{ dir file lnk_file } relabelto;
|
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
|
||||||
allow init dev_type:dir create_dir_perms;
|
allow init dev_type:dir create_dir_perms;
|
||||||
allow init dev_type:lnk_file create;
|
allow init dev_type:lnk_file create;
|
||||||
|
|
||||||
|
|
|
||||||
5
shell.te
5
shell.te
|
|
@ -69,12 +69,13 @@ set_prop(shell, debug_prop)
|
||||||
set_prop(shell, powerctl_prop)
|
set_prop(shell, powerctl_prop)
|
||||||
|
|
||||||
# systrace support - allow atrace to run
|
# systrace support - allow atrace to run
|
||||||
# debugfs doesn't support labeling individual files, so we have
|
# debugfs did not support labeling individual files, so we have
|
||||||
# to grant read access to all of /sys/kernel/debug.
|
# to grant read access to all of /sys/kernel/debug.
|
||||||
# Directory read access and file write access is already granted
|
# Directory read access and file write access is already granted
|
||||||
# in domain.te.
|
# in domain.te.
|
||||||
|
# TODO: Fix this now that we support labeling individual debugfs files
|
||||||
|
# (b/18935184, https://android-review.googlesource.com/122130)
|
||||||
allow shell debugfs:file r_file_perms;
|
allow shell debugfs:file r_file_perms;
|
||||||
allow shell debugfs:dir search;
|
|
||||||
allow shell atrace_exec:file rx_file_perms;
|
allow shell atrace_exec:file rx_file_perms;
|
||||||
|
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue