tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

In native coverage builds, allow all domains to access /data/misc/trace

Browse source 
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
(cherry picked from commit ce9c0c5a5f)
This commit is contained in:
Pirama Arumuga Nainar 2019-06-13 15:05:15 -07:00 committed by Oliver Nguyen
parent 72f247f5ff
commit b65824642b
27 changed files with 124 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
Android.mk
View file

@ -169,6 +169,11 @@ ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true with_asan := true
endif endif
with_native_coverage := false
ifeq ($(NATIVE_COVERAGE),true)
with_native_coverage := true
endif
# Library extension for host-side tests # Library extension for host-side tests
ifeq ($(HOST_OS),darwin) ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib SHAREDLIB_EXT=dylib
@ -334,6 +339,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user $(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \ $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
@ -352,6 +358,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true $(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \ $(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
@ -396,6 +403,7 @@ $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -424,6 +432,7 @@ $(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -449,6 +458,7 @@ $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -502,6 +512,7 @@ $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -544,6 +555,7 @@ $(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug $(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -587,6 +599,7 @@ $(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -728,6 +741,7 @@ $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -778,6 +792,7 @@ $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
@ -995,6 +1010,7 @@ $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \

1
definitions.mk
View file

@ -8,6 +8,7 @@ $(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \ -D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \ -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \ -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \

1
prebuilts/api/29.0/private/logd.te
View file

@ -8,6 +8,7 @@ neverallow logd {
file_type file_type
-runtime_event_log_tags_file -runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file') userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append }; }:file { create write append };
# protect the event-log-tags file # protect the event-log-tags file

6
prebuilts/api/29.0/private/logpersist.te
View file

@ -19,6 +19,10 @@ userdebug_or_eng(`
') ')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; neverallow logpersist {
file_type
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

8
prebuilts/api/29.0/private/perfetto.te
View file

@ -74,8 +74,14 @@ neverallow perfetto {
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
-perfetto_traces_data_file -perfetto_traces_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; neverallow perfetto {
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;

7
prebuilts/api/29.0/private/recovery_persist.te
View file

@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain;
init_daemon_domain(recovery_persist) init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file # recovery_persist is not allowed to write anywhere other than recovery_data_file
neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; neverallow recovery_persist {
file_type
-recovery_data_file
userdebug_or_eng(`-coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file write;

6
prebuilts/api/29.0/private/recovery_refresh.te
View file

@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain;
init_daemon_domain(recovery_refresh) init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere # recovery_refresh is not allowed to write anywhere
neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; neverallow recovery_refresh {
file_type
userdebug_or_eng(`-coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file write;

2
prebuilts/api/29.0/private/traced.te
View file

@ -66,6 +66,7 @@ neverallow traced {
# subsequent neverallow. Currently only getattr and search are allowed. # subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms; neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@ -75,6 +76,7 @@ neverallow traced {
-zoneinfo_data_file -zoneinfo_data_file
-perfetto_traces_data_file -perfetto_traces_data_file
-trace_data_file -trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write; }:file ~write;
# Only init is allowed to enter the traced domain via exec() # Only init is allowed to enter the traced domain via exec()

8
prebuilts/api/29.0/private/traced_probes.te
View file

@ -108,11 +108,17 @@ neverallow traced_probes {
# subsequent neverallow. Currently only getattr and search are allowed. # subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *; neverallow traced_probes {
data_file_type
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
}:file *;
# Only init is allowed to enter the traced_probes domain via exec() # Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition; neverallow { domain -init } traced_probes:process transition;

10
prebuilts/api/29.0/public/domain.te
View file

@ -51,6 +51,12 @@ userdebug_or_eng(`
allow domain coredump_file:dir ra_dir_perms; allow domain coredump_file:dir ra_dir_perms;
') ')
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
allow domain method_trace_data_file:file create_file_perms;
')
# Root fs. # Root fs.
allow domain tmpfs:dir { getattr search }; allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search; allow domain rootfs:dir search;
@ -852,6 +858,7 @@ full_treble_only(`
# These functions are considered vndk-stable and thus must be allowed for # These functions are considered vndk-stable and thus must be allowed for
# all processes. # all processes.
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map }; }:file_class_set ~{ append getattr ioctl read write map };
neverallow { neverallow {
vendor_init vendor_init
@ -860,6 +867,7 @@ full_treble_only(`
core_data_file_type core_data_file_type
-unencrypted_data_file -unencrypted_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map }; }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability. # The vendor init binary lives on the system partition so there is not a concern with stability.
@ -878,6 +886,7 @@ full_treble_only(`
-system_data_file # default label for files on /data. Covered below... -system_data_file # default label for files on /data. Covered below...
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow { neverallow {
vendor_init vendor_init
@ -888,6 +897,7 @@ full_treble_only(`
-system_data_file -system_data_file
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability. # The vendor init binary lives on the system partition so there is not a concern with stability.

1
prebuilts/api/29.0/public/hal_configstore.te
View file

@ -42,6 +42,7 @@ neverallow hal_configstore_server {
-anr_data_file # for crash dump collection -anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection -tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *; }:{ file fifo_file sock_file } *;
# Should never need sdcard access # Should never need sdcard access

1
prebuilts/api/29.0/public/mediaextractor.te
View file

@ -66,4 +66,5 @@ neverallow mediaextractor {
data_file_type data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open; }:file open;

2
prebuilts/api/29.0/public/recovery.te
View file

@ -162,9 +162,11 @@ neverallow recovery {
data_file_type data_file_type
-cache_file -cache_file
-cache_recovery_file -cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms }; }:file { no_w_file_perms no_x_file_perms };
neverallow recovery { neverallow recovery {
data_file_type data_file_type
-cache_file -cache_file
-cache_recovery_file -cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms; }:dir no_w_dir_perms;

6
prebuilts/api/29.0/public/te_macros
View file

@ -509,6 +509,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
# #
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
##################################### #####################################
# Build-time-only test # Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing. # SELinux rules which are verified during build, but not as part of *TS testing.

1
private/logd.te
View file

@ -8,6 +8,7 @@ neverallow logd {
file_type file_type
-runtime_event_log_tags_file -runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file') userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append }; }:file { create write append };
# protect the event-log-tags file # protect the event-log-tags file

6
private/logpersist.te
View file

@ -19,6 +19,10 @@ userdebug_or_eng(`
') ')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; neverallow logpersist {
file_type
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

8
private/perfetto.te
View file

@ -74,8 +74,14 @@ neverallow perfetto {
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
-perfetto_traces_data_file -perfetto_traces_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; neverallow perfetto {
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;

7
private/recovery_persist.te
View file

@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain;
init_daemon_domain(recovery_persist) init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file # recovery_persist is not allowed to write anywhere other than recovery_data_file
neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; neverallow recovery_persist {
file_type
-recovery_data_file
userdebug_or_eng(`-coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file write;

6
private/recovery_refresh.te
View file

@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain;
init_daemon_domain(recovery_refresh) init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere # recovery_refresh is not allowed to write anywhere
neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; neverallow recovery_refresh {
file_type
userdebug_or_eng(`-coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file write;

2
private/traced.te
View file

@ -66,6 +66,7 @@ neverallow traced {
# subsequent neverallow. Currently only getattr and search are allowed. # subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms; neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@ -75,6 +76,7 @@ neverallow traced {
-zoneinfo_data_file -zoneinfo_data_file
-perfetto_traces_data_file -perfetto_traces_data_file
-trace_data_file -trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write; }:file ~write;
# Only init is allowed to enter the traced domain via exec() # Only init is allowed to enter the traced domain via exec()

8
private/traced_probes.te
View file

@ -108,11 +108,17 @@ neverallow traced_probes {
# subsequent neverallow. Currently only getattr and search are allowed. # subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *; neverallow traced_probes {
data_file_type
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
}:file *;
# Only init is allowed to enter the traced_probes domain via exec() # Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition; neverallow { domain -init } traced_probes:process transition;

10
public/domain.te
View file

@ -51,6 +51,12 @@ userdebug_or_eng(`
allow domain coredump_file:dir ra_dir_perms; allow domain coredump_file:dir ra_dir_perms;
') ')
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
allow domain method_trace_data_file:file create_file_perms;
')
# Root fs. # Root fs.
allow domain tmpfs:dir { getattr search }; allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search; allow domain rootfs:dir search;
@ -852,6 +858,7 @@ full_treble_only(`
# These functions are considered vndk-stable and thus must be allowed for # These functions are considered vndk-stable and thus must be allowed for
# all processes. # all processes.
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map }; }:file_class_set ~{ append getattr ioctl read write map };
neverallow { neverallow {
vendor_init vendor_init
@ -860,6 +867,7 @@ full_treble_only(`
core_data_file_type core_data_file_type
-unencrypted_data_file -unencrypted_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map }; }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability. # The vendor init binary lives on the system partition so there is not a concern with stability.
@ -878,6 +886,7 @@ full_treble_only(`
-system_data_file # default label for files on /data. Covered below... -system_data_file # default label for files on /data. Covered below...
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
neverallow { neverallow {
vendor_init vendor_init
@ -888,6 +897,7 @@ full_treble_only(`
-system_data_file -system_data_file
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *; }:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability. # The vendor init binary lives on the system partition so there is not a concern with stability.

1
public/hal_configstore.te
View file

@ -42,6 +42,7 @@ neverallow hal_configstore_server {
-anr_data_file # for crash dump collection -anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection -tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *; }:{ file fifo_file sock_file } *;
# Should never need sdcard access # Should never need sdcard access

1
public/mediaextractor.te
View file

@ -66,4 +66,5 @@ neverallow mediaextractor {
data_file_type data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open; }:file open;

2
public/recovery.te
View file

@ -162,9 +162,11 @@ neverallow recovery {
data_file_type data_file_type
-cache_file -cache_file
-cache_recovery_file -cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms }; }:file { no_w_file_perms no_x_file_perms };
neverallow recovery { neverallow recovery {
data_file_type data_file_type
-cache_file -cache_file
-cache_recovery_file -cache_recovery_file
with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms; }:dir no_w_dir_perms;

6
public/te_macros
View file

@ -509,6 +509,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
# #
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
##################################### #####################################
# Build-time-only test # Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing. # SELinux rules which are verified during build, but not as part of *TS testing.

1
treble_sepolicy_tests_for_release.mk
View file

@ -22,6 +22,7 @@ $($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user $($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ $($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \