44826cb5e4
Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
215 lines
8.3 KiB
Text
215 lines
8.3 KiB
Text
# Filesystem types
|
|
type labeledfs, fs_type;
|
|
type pipefs, fs_type;
|
|
type sockfs, fs_type;
|
|
type rootfs, fs_type;
|
|
type proc, fs_type;
|
|
# Security-sensitive proc nodes that should not be writable to most.
|
|
type proc_security, fs_type;
|
|
# Type for /proc/sys/vm/drop_caches
|
|
type proc_drop_caches, fs_type;
|
|
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
|
|
type usermodehelper, fs_type, sysfs_type;
|
|
type qtaguid_proc, fs_type, mlstrustedobject;
|
|
type proc_bluetooth_writable, fs_type;
|
|
type proc_cpuinfo, fs_type;
|
|
type proc_iomem, fs_type;
|
|
type proc_net, fs_type;
|
|
type proc_sysrq, fs_type;
|
|
type proc_uid_cputime_showstat, fs_type;
|
|
type proc_uid_cputime_removeuid, fs_type;
|
|
type selinuxfs, fs_type, mlstrustedobject;
|
|
type cgroup, fs_type, mlstrustedobject;
|
|
type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
|
type sysfs_mac_address, fs_type, sysfs_type;
|
|
# /sys/devices/system/cpu
|
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
|
# /sys/module/lowmemorykiller
|
|
type sysfs_lowmemorykiller, fs_type, sysfs_type;
|
|
type inotify, fs_type, mlstrustedobject;
|
|
type devpts, fs_type, mlstrustedobject;
|
|
type tmpfs, fs_type;
|
|
type shm, fs_type;
|
|
type mqueue, fs_type;
|
|
type fuse, sdcard_type, fs_type, mlstrustedobject;
|
|
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
|
typealias fuse alias sdcard_internal;
|
|
typealias vfat alias sdcard_external;
|
|
type debugfs, fs_type, mlstrustedobject;
|
|
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
|
type pstorefs, fs_type;
|
|
type functionfs, fs_type;
|
|
type oemfs, fs_type, contextmount_type;
|
|
type usbfs, fs_type;
|
|
type binfmt_miscfs, fs_type;
|
|
|
|
# File types
|
|
type unlabeled, file_type;
|
|
# Default type for anything under /system.
|
|
type system_file, file_type;
|
|
# Type for /system/bin/logcat.
|
|
type logcat_exec, exec_type, file_type;
|
|
# /cores for coredumps on userdebug / eng builds
|
|
type coredump_file, file_type;
|
|
# Default type for anything under /data.
|
|
type system_data_file, file_type, data_file_type;
|
|
# Unencrypted data
|
|
type unencrypted_data_file, file_type, data_file_type;
|
|
# /data/.layout_version or other installd-created files that
|
|
# are created in a system_data_file directory.
|
|
type install_data_file, file_type, data_file_type;
|
|
# /data/drm - DRM plugin data
|
|
type drm_data_file, file_type, data_file_type;
|
|
# /data/adb - adb debugging files
|
|
type adb_data_file, file_type, data_file_type;
|
|
# /data/anr - ANR traces
|
|
type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/tombstones - core dumps
|
|
type tombstone_data_file, file_type, data_file_type;
|
|
# /data/app - user-installed apps
|
|
type apk_data_file, file_type, data_file_type;
|
|
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/app-private - forward-locked apps
|
|
type apk_private_data_file, file_type, data_file_type;
|
|
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/dalvik-cache
|
|
type dalvikcache_data_file, file_type, data_file_type;
|
|
# /data/resource-cache
|
|
type resourcecache_data_file, file_type, data_file_type;
|
|
# /data/local - writable by shell
|
|
type shell_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/gps
|
|
type gps_data_file, file_type, data_file_type;
|
|
# /data/property
|
|
type property_data_file, file_type, data_file_type;
|
|
# /data/bootchart
|
|
type bootchart_data_file, file_type, data_file_type;
|
|
# /data/system/heapdump
|
|
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/nativetest
|
|
type nativetest_data_file, file_type, data_file_type;
|
|
|
|
# Mount locations managed by vold
|
|
type mnt_media_rw_file, file_type;
|
|
type mnt_user_file, file_type;
|
|
type mnt_expand_file, file_type;
|
|
type storage_file, file_type;
|
|
|
|
# Label for storage dirs which are just mount stubs
|
|
type mnt_media_rw_stub_file, file_type;
|
|
type storage_stub_file, file_type;
|
|
|
|
# /data/misc subdirectories
|
|
type adb_keys_file, file_type, data_file_type;
|
|
type audio_data_file, file_type, data_file_type;
|
|
type bluetooth_data_file, file_type, data_file_type;
|
|
type boottrace_data_file, file_type, data_file_type;
|
|
type camera_data_file, file_type, data_file_type;
|
|
type gatekeeper_data_file, file_type, data_file_type;
|
|
type keychain_data_file, file_type, data_file_type;
|
|
type keystore_data_file, file_type, data_file_type;
|
|
type media_data_file, file_type, data_file_type;
|
|
type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
|
|
type misc_user_data_file, file_type, data_file_type;
|
|
type net_data_file, file_type, data_file_type;
|
|
type nfc_data_file, file_type, data_file_type;
|
|
type radio_data_file, file_type, data_file_type, mlstrustedobject;
|
|
type shared_relro_file, file_type, data_file_type;
|
|
type systemkeys_data_file, file_type, data_file_type;
|
|
type vpn_data_file, file_type, data_file_type;
|
|
type wifi_data_file, file_type, data_file_type;
|
|
type zoneinfo_data_file, file_type, data_file_type;
|
|
type vold_data_file, file_type, data_file_type;
|
|
type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/misc/trace for method traces on userdebug / eng builds
|
|
type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
|
|
|
|
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
|
|
typealias audio_data_file alias audio_firmware_file;
|
|
# /data/data subdirectories - app sandboxes
|
|
type app_data_file, file_type, data_file_type;
|
|
# /data/data subdirectory for system UID apps.
|
|
type system_app_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# Compatibility with type name used in Android 4.3 and 4.4.
|
|
typealias app_data_file alias platform_app_data_file;
|
|
typealias app_data_file alias download_file;
|
|
# Default type for anything under /cache
|
|
type cache_file, file_type, mlstrustedobject;
|
|
# Type for /cache/.*\.{data|restore} and default
|
|
# type for anything under /cache/backup
|
|
type cache_backup_file, file_type, mlstrustedobject;
|
|
# Default type for anything under /efs
|
|
type efs_file, file_type;
|
|
# Type for wallpaper file.
|
|
type wallpaper_file, file_type, mlstrustedobject;
|
|
# /mnt/asec
|
|
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
|
|
# Elements of asec files (/mnt/asec) that are world readable
|
|
type asec_public_file, file_type, data_file_type;
|
|
# /data/app-asec
|
|
type asec_image_file, file_type, data_file_type;
|
|
# /data/backup and /data/secure/backup
|
|
type backup_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# For /data/security
|
|
type security_file, file_type;
|
|
# All devices have bluetooth efs files. But they
|
|
# vary per device, so this type is used in per
|
|
# device policy
|
|
type bluetooth_efs_file, file_type;
|
|
# Type for fingerprint template file.
|
|
type fingerprintd_data_file, file_type, data_file_type;
|
|
|
|
# Socket types
|
|
type adbd_socket, file_type;
|
|
type bluetooth_socket, file_type;
|
|
type dnsproxyd_socket, file_type, mlstrustedobject;
|
|
type dumpstate_socket, file_type;
|
|
type fwmarkd_socket, file_type, mlstrustedobject;
|
|
type gps_socket, file_type;
|
|
type installd_socket, file_type;
|
|
type lmkd_socket, file_type;
|
|
type logd_socket, file_type, mlstrustedobject;
|
|
type logdr_socket, file_type, mlstrustedobject;
|
|
type logdw_socket, file_type, mlstrustedobject;
|
|
type mdns_socket, file_type;
|
|
type mdnsd_socket, file_type, mlstrustedobject;
|
|
type misc_logd_file, file_type;
|
|
type mtpd_socket, file_type;
|
|
type netd_socket, file_type;
|
|
type property_socket, file_type;
|
|
type racoon_socket, file_type;
|
|
type rild_socket, file_type;
|
|
type rild_debug_socket, file_type;
|
|
type system_wpa_socket, file_type;
|
|
type system_ndebug_socket, file_type;
|
|
type vold_socket, file_type;
|
|
type wpa_socket, file_type;
|
|
type zygote_socket, file_type;
|
|
type sap_uim_socket, file_type;
|
|
# UART (for GPS) control proc file
|
|
type gps_control, file_type;
|
|
|
|
# property_contexts file
|
|
type property_contexts, file_type;
|
|
|
|
# Allow files to be created in their appropriate filesystems.
|
|
allow fs_type self:filesystem associate;
|
|
allow sysfs_type sysfs:filesystem associate;
|
|
allow debugfs_type debugfs:filesystem associate;
|
|
allow file_type labeledfs:filesystem associate;
|
|
allow file_type tmpfs:filesystem associate;
|
|
allow file_type rootfs:filesystem associate;
|
|
allow dev_type tmpfs:filesystem associate;
|
|
|
|
# It's a bug to assign the file_type attribute and fs_type attribute
|
|
# to any type. Do not allow it.
|
|
#
|
|
# For example, the following is a bug:
|
|
# type apk_data_file, file_type, data_file_type, fs_type;
|
|
# Should be:
|
|
# type apk_data_file, file_type, data_file_type;
|
|
neverallow fs_type file_type:filesystem associate;
|