75806ef3c5
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
51 lines
1.5 KiB
Text
51 lines
1.5 KiB
Text
typeattribute traceur_app coredomain;
|
|
|
|
app_domain(traceur_app);
|
|
allow traceur_app debugfs_tracing:file rw_file_perms;
|
|
allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
|
|
|
|
userdebug_or_eng(`
|
|
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
allow traceur_app trace_data_file:file create_file_perms;
|
|
allow traceur_app trace_data_file:dir rw_dir_perms;
|
|
allow traceur_app wm_trace_data_file:dir rw_dir_perms;
|
|
allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
|
|
allow traceur_app atrace_exec:file rx_file_perms;
|
|
|
|
# To exec the perfetto cmdline client and pass it the trace config on
|
|
# stdint through a pipe.
|
|
allow traceur_app perfetto_exec:file rx_file_perms;
|
|
|
|
# Allow to access traced's privileged consumer socket.
|
|
unix_socket_connect(traceur_app, traced_consumer, traced)
|
|
|
|
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
|
|
|
|
set_prop(traceur_app, debug_prop)
|
|
|
|
allow traceur_app servicemanager:service_manager list;
|
|
allow traceur_app hwservicemanager:hwservice_manager list;
|
|
|
|
allow traceur_app {
|
|
service_manager_type
|
|
-apex_service
|
|
-dnsresolver_service
|
|
-gatekeeper_service
|
|
-incident_service
|
|
-installd_service
|
|
-lpdump_service
|
|
-mdns_service
|
|
-netd_service
|
|
-virtual_touchpad_service
|
|
-vold_service
|
|
-default_android_service
|
|
}:service_manager find;
|
|
|
|
# Allow traceur_app to use atrace HAL
|
|
hal_client_domain(traceur_app, hal_atrace)
|
|
|
|
dontaudit traceur_app service_manager_type:service_manager find;
|
|
dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
|
|
dontaudit traceur_app domain:binder call;
|