tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "selinux: allow Perfetto traced_probes to write into kmesg" am: daeea37e21

Browse source 
am: e786cf9966

Change-Id: I01edf449451eb9e8c608fff6f86c529e69a42602
This commit is contained in:
Primiano Tucci 2018-02-16 23:36:53 +00:00 committed by android-build-merger
commit c41533e48f
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
private/traced_probes.te
View file

@ -29,6 +29,9 @@ allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access
r_dir_file(traced_probes, domain)
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
###
### Neverallow rules
###
@ -45,7 +48,7 @@ neverallow traced_probes dev_type:blk_file { read write };
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced {
neverallow traced_probes {
data_file_type
-system_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@ -53,10 +56,10 @@ neverallow traced {
-vendor_data_file
-zoneinfo_data_file
}:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file *;
neverallow traced_probes system_data_file:dir ~{ getattr search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;