From bc71a6109e37e53fa5e325a8000989d86f7fd5e4 Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Wed, 19 Sep 2018 16:06:28 -0700
Subject: [PATCH] Add atrace HAL 1.0 sepolicy

Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e430a864630c2451bf35f18ac7668c12b)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
---
 private/app_neverallows.te          |  1 +
 private/atrace.te                   |  3 +++
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/hwservice_contexts          |  1 +
 private/shell.te                    |  3 +++
 public/attributes                   |  1 +
 public/hal_atrace.te                |  4 ++++
 public/hwservice.te                 |  1 +
 public/su.te                        |  1 +
 vendor/file_contexts                |  1 +
 vendor/hal_atrace_default.te        | 14 ++++++++++++++
 13 files changed, 33 insertions(+)
 create mode 100644 public/hal_atrace.te
 create mode 100644 vendor/hal_atrace_default.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1c1deb02f..344ecd544 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -195,6 +195,7 @@ neverallow all_untrusted_apps {
 # Make sure that the following services are never accessible by untrusted_apps
 neverallow all_untrusted_apps {
   default_android_hwservice
+  hal_atrace_hwservice
   hal_audio_hwservice
   hal_authsecret_hwservice
   hal_bluetooth_hwservice
diff --git a/private/atrace.te b/private/atrace.te
index ac9bedbfa..2a7ccd0e5 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -26,6 +26,9 @@ allow atrace system_server:binder call;
 
 get_prop(atrace, hwservicemanager_prop)
 
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
 allow atrace {
   service_manager_type
   -incident_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b64e10e91..c585b668c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -57,6 +57,7 @@
     fastbootd
     fingerprint_vendor_data_file
     fs_bpf
+    hal_atrace_hwservice
     hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_broadcastradio_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 494e63456..95d820e08 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -53,6 +53,7 @@
     fastbootd
     fingerprint_vendor_data_file
     fs_bpf
+    hal_atrace_hwservice
     hal_audiocontrol_hwservice
     hal_authsecret_hwservice
     hal_codec2_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index cd7b7c892..4add5c689 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -11,6 +11,7 @@
     buffer_hub_service
     fastbootd
     color_display_service
+    hal_atrace_hwservice
     hal_health_storage_hwservice
     hal_system_suspend_default
     hal_system_suspend_default_exec
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9af432dd5..f12385fc1 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,6 +1,7 @@
 android.frameworks.displayservice::IDisplayService              u:object_r:fwk_display_hwservice:s0
 android.frameworks.schedulerservice::ISchedulingPolicyService   u:object_r:fwk_scheduler_hwservice:s0
 android.frameworks.sensorservice::ISensorManager                u:object_r:fwk_sensor_hwservice:s0
+android.hardware.atrace::IAtraceDevice                          u:object_r:hal_atrace_hwservice:s0
 android.hardware.audio.effect::IEffectsFactory                  u:object_r:hal_audio_hwservice:s0
 android.hardware.audio::IDevicesFactory                         u:object_r:hal_audio_hwservice:s0
 android.hardware.authsecret::IAuthSecret                        u:object_r:hal_authsecret_hwservice:s0
diff --git a/private/shell.te b/private/shell.te
index 121377799..7b52a02ef 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -54,3 +54,6 @@ allow shell perfetto_traces_data_file:file r_file_perms;
 
 # Allow shell-based "dumpsys" to call into bufferhubd.
 binder_call(shell, bufferhubd);
+
+# Allow shell to use atrace HAL
+hal_client_domain(shell, hal_atrace)
diff --git a/public/attributes b/public/attributes
index 1ef92263d..79cc20d09 100644
--- a/public/attributes
+++ b/public/attributes
@@ -242,6 +242,7 @@ attribute hal_automotive_socket_exemption;
 
 # HALs
 hal_attribute(allocator);
+hal_attribute(atrace);
 hal_attribute(audio);
 hal_attribute(audiocontrol);
 hal_attribute(authsecret);
diff --git a/public/hal_atrace.te b/public/hal_atrace.te
new file mode 100644
index 000000000..51d9237f9
--- /dev/null
+++ b/public/hal_atrace.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_atrace_client, hal_atrace_server)
+
+hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 3e3a6c8a2..e7ef2bb85 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -2,6 +2,7 @@ type default_android_hwservice, hwservice_manager_type;
 type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
 type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type;
 type hal_audiocontrol_hwservice, hwservice_manager_type;
 type hal_audio_hwservice, hwservice_manager_type;
 type hal_authsecret_hwservice, hwservice_manager_type;
diff --git a/public/su.te b/public/su.te
index 5952ab8ea..dad9c4948 100644
--- a/public/su.te
+++ b/public/su.te
@@ -58,6 +58,7 @@ userdebug_or_eng(`
   # permission to interact with it.
   typeattribute su halclientdomain;
   typeattribute su hal_allocator_client;
+  typeattribute su hal_atrace_client;
   typeattribute su hal_audio_client;
   typeattribute su hal_authsecret_client;
   typeattribute su hal_bluetooth_client;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c4e6648be..44198cc42 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -1,6 +1,7 @@
 #############################
 # Default HALs
 #
+/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
diff --git a/vendor/hal_atrace_default.te b/vendor/hal_atrace_default.te
new file mode 100644
index 000000000..55c9730b3
--- /dev/null
+++ b/vendor/hal_atrace_default.te
@@ -0,0 +1,14 @@
+type hal_atrace_default, domain;
+hal_server_domain(hal_atrace_default, hal_atrace)
+
+type hal_atrace_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_atrace_default)
+
+# Allow atrace HAL to access tracefs.
+allow hal_atrace_default debugfs_tracing:dir r_dir_perms;
+allow hal_atrace_default debugfs_tracing:file rw_file_perms;
+
+userdebug_or_eng(`
+  allow hal_atrace_default debugfs_tracing_debug:dir r_dir_perms;
+  allow hal_atrace_default debugfs_tracing_debug:file rw_file_perms;
+')