tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private
History
Ryan Savitski b088e4b11e tracing: allow select tracepoints on release builds 
This primarily affects perfetto's traced_probes and shell-invoked
binaries like atrace, but also anyone with access to "debugfs_tracing".

These tracepoints are being actively collected in internal tracing, so
we would like to also make them available on release builds, as they
should be a source of useful system information there as well.

The ones we definitely need:
* sched_waking, sched_wakeup_new: both are similar to the
  already-allowed sched_wakeup. The first differs in which exact process
  context it occurs in, and the latter is the wakeup events of only the
  fresh tasks.
* oom/mark_victim: contains only the pid of the victim. Useful for
  memory-related tracing and analysis.

The other events in this patch are of lesser importance, but also are
fairly straightforward - clocks and priority for frequency/power tracing.

Small extra change: sched_process_free was only relabeled in the tracefs
block, so I've added it to debugfs to keep them in sync. (I wonder whether
debugfs is even necessary at this point... but that's outside of scope
here.)

See the attached bug for a longer explanation. There will also be a
separate patch for system/frameworks/native/atrace/atrace.rc for the
Unix file permissions of these files.

Bug: 179788446
Tested: I did not have access to a "user" build, but I've manually
        checked the labels of events/.../enable tracefs files via ls -Z,
        and strace'd traced_probes on a hacky debug build where I
        commented out its SELinux allow-rule for debugfs_tracing_debug.
Change-Id: I15a9cb33950718757e3ecbd7c71de23b25f85f1d
2021-02-18 16:13:03 +00:00
..
compat Merge "Add sepolicy swcodec native flag namespace." 2021-02-17 21:30:16 +00:00
access_vectors Move list permission from keystore2_key to keystore class. 2020-10-01 05:33:31 +00:00
adbd.te Let adbd set service.adb.tcp.port. 2020-11-06 13:08:04 -08:00
aidl_lazy_test_server.te Add aidl_lazy_test_server 2020-01-07 15:11:03 -08:00
apex_test_prepostinstall.te
apexd.te Allow apexd to relabel files in /data/apex/decompressed 2021-02-01 13:39:44 +00:00
app.te Let apps read tombstones given to them. 2021-02-08 17:19:43 -08:00
app_neverallows.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
app_zygote.te Introduce app_data_file_type attribute. 2020-11-11 14:43:36 +00:00
asan_extract.te Move system property rules to private 2020-03-18 16:46:04 +00:00
atrace.te Make AIDL HAL client attribute an exclusive client. 2020-09-11 00:02:00 +00:00
attributes Add expandattribute to system_and_vendor_property_type 2020-12-01 19:58:02 +09:00
audioserver.te Move audio config props to audio_config_prop 2020-05-06 22:58:29 +09:00
auditctl.te
automotive_display_service.te Update automotive display service rules 2020-02-29 11:01:26 -08:00
binderservicedomain.te Move list permission from keystore2_key to keystore class. 2020-10-01 05:33:31 +00:00
blank_screen.te Allow blank_screen to make binder calls to the servicemanager 2020-04-02 19:38:36 +00:00
blkid.te
blkid_untrusted.te
bluetooth.te Allow Bluetooth to access SystemSuspend control service 2020-10-14 00:31:01 +00:00
bluetoothdomain.te
bootanim.te Reduce graphics logspam 2020-04-02 14:43:17 +02:00
bootstat.te Enable incidentd access to ro.boot.bootreason 2020-04-09 15:57:06 -07:00
boringssl_self_test.te SEPolicy changes to allow vendor BoringSSL self test. 2019-10-01 14:14:36 +01:00
bpfloader.te apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering 2021-02-11 17:45:06 -08:00
bufferhubd.te
bug_map Merge "Revert "Add bug_map entry for unrelated SELinux denial to unblock IC."" 2021-01-20 07:54:34 +00:00
cameraserver.te
canhalconfigurator.te Revert "Revert "hal_can_*: use hal_attribute_service"" 2021-01-11 18:25:51 +00:00
charger.te Allow charger to read minui properties 2020-07-14 18:06:54 +09:00
clatd.te sepolicy - move public clatd to private 2019-05-11 17:47:25 -07:00
coredomain.te traced_perf: allow RO tracefs access + fix neverallow 2021-01-31 16:44:00 +00:00
cppreopts.te Ignore the denial when system_other is erased 2020-03-31 20:10:26 +08:00
crash_dump.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
credstore.te Add SELinux policy for credstore and update for IC HAL port from HIDL to AIDL. 2020-02-19 13:46:45 -05:00
derive_sdk.te Rename sdkext sepolicy to sdkextensions 2020-01-08 11:41:18 +00:00
dex2oat.te SELinux policy for on-device signing binary. 2021-02-03 16:15:48 +01:00
dexoptanalyzer.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
dhcp.te Move system property rules to private 2020-03-18 16:46:04 +00:00
dnsmasq.te
domain.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
drmserver.te Relabel drm related props from exported*_prop 2020-06-19 10:52:10 +09:00
dumpstate.te Add /data/misc/a11ytrace folder to store accessibility trace files. 2021-02-16 09:35:09 -08:00
ephemeral_app.te sepolicy: clean up redundant rules around gpuservice 2020-04-15 09:24:16 -07:00
fastbootd.te Allow snapuserd interaction in recovery and fastbootd. 2021-02-04 22:48:55 -08:00
file.te Add /data/misc/a11ytrace folder to store accessibility trace files. 2021-02-16 09:35:09 -08:00
file_contexts Add /data/misc/a11ytrace folder to store accessibility trace files. 2021-02-16 09:35:09 -08:00
file_contexts_asan Fix data/asan/system/system_ext/lib selinux rule for file_contexts_asan 2020-06-08 10:05:07 +00:00
file_contexts_overlayfs
fingerprintd.te
flags_health_check.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
fs_use private/fs_use: Enable selinux for virtiofs 2020-03-06 17:19:04 +09:00
fsck.te
fsck_untrusted.te
fsverity_init.te SELinux policy for on-device signing binary. 2021-02-03 16:15:48 +01:00
fwk_bufferhub.te
gatekeeperd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
genfs_contexts tracing: allow select tracepoints on release builds 2021-02-18 16:13:03 +00:00
gki_apex_prepostinstall.te Allow GKI APEX to use apexd:fd 2020-08-28 17:29:58 -07:00
gmscore_app.te Allow priv_app system_linker_exec:file execute_no_trans 2021-02-10 10:32:44 -08:00
gpuservice.te Move more properties out of exported3_default_prop 2020-07-21 13:11:57 +09:00
gsid.te Add permissions required to install the DSU to a SD card 2021-01-27 06:36:12 +00:00
hal_allocator_default.te sepolicy: remove ashmemd 2019-09-27 17:43:53 +00:00
hal_lazy_test.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
halclientdomain.te
halserverdomain.te
healthd.te Remove exported2_system_prop 2020-08-06 12:52:32 +09:00
heapprofd.te Allow heapprofd to read shell_test_data_file. 2021-02-09 13:28:49 +00:00
hidl_lazy_test_server.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
hwservice.te Add rules for hidl_lazy_test* 2020-04-24 14:09:41 -07:00
hwservice_contexts Remove thermalcallback_hwservice. 2020-09-16 21:57:05 +00:00
hwservicemanager.te Move system property rules to private 2020-03-18 16:46:04 +00:00
idmap.te
incident.te Allow dumpstate to call incident CLI 2019-08-21 16:10:39 -07:00
incident_helper.te
incidentd.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
init.te init: Allow interacting with snapuserd and libsnapshot. 2020-10-30 00:17:37 -07:00
initial_sid_contexts
initial_sids
inputflinger.te
installd.te Revert "Suppress avc denials due to missing kernel config on mixed version boot test" 2021-01-22 11:05:43 +00:00
iorap_inode2filename.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
iorap_prefecherd.te sepolicy: Add iorap_prefetcherd rules 2019-10-22 12:45:46 -07:00
iorapd.te sepolicy: policies for iorap.inode2filename 2020-02-20 16:38:17 -08:00
isolated_app.te Merge "Revert "Prevent isolated_app from searching system_data_file."" 2020-10-20 10:06:54 +00:00
iw.te
kernel.te Add permissions required to install the DSU to a SD card 2021-01-27 06:36:12 +00:00
keys.conf Don't require seinfo for priv-apps 2019-11-06 08:37:03 -08:00
keystore.te Allow keystore to talk to keymint 2020-12-15 08:25:42 -08:00
keystore2_key_contexts Keystore 2.0: Add wifi namespace to sepolicy. 2021-02-09 08:28:45 -08:00
keystore_keys.te Allow on-device signing daemon to talk to keystore. 2021-02-04 11:56:24 +01:00
linkerconfig.te Allow linkerconfig to read apex-info-file.xml 2020-07-30 01:11:15 +09:00
llkd.te llkd: requires sys_admin permissions 2020-01-15 08:08:59 -08:00
lmkd.te Add lmkd. property policies 2020-05-08 15:35:16 +00:00
logd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
logpersist.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
lpdumpd.te binder_use: Allow servicemanager callbacks 2019-12-19 23:07:14 +00:00
mac_permissions.xml Don't require seinfo for priv-apps 2019-11-06 08:37:03 -08:00
mdnsd.te
mediadrmserver.te
mediaextractor.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
mediametrics.te
mediaprovider.te Rename contexts of ffs props 2020-05-11 21:23:37 +09:00
mediaprovider_app.te Relabel drm related props from exported*_prop 2020-06-19 10:52:10 +09:00
mediaserver.te Relabel drm related props from exported*_prop 2020-06-19 10:52:10 +09:00
mediaswcodec.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
mediatranscoding.te transcoding: allow transcoding to connect to thermal manager 2021-01-19 16:19:24 -08:00
mediatuner.te Allow TunerService to find and call TunerResourceManager Service 2021-01-26 19:14:33 +00:00
migrate_legacy_obb_data.te sepolicy: Adjust policy for migrate_legacy_obb_data.sh 2019-07-16 02:55:25 +00:00
mls Split user_profile_data_file label. 2020-12-11 17:35:06 +00:00
mls_decl
mls_macros
mlstrustedsubject.te Remove app_data_file:dir access from dexoptanalyzer. 2020-09-22 15:54:02 +01:00
modprobe.te
mtp.te
netd.te Fix sepolicy to netd. 2021-01-27 17:34:01 +08:00
netutils_wrapper.te
network_stack.te apply 'fs_bpf_tethering' label to /sys/fs/bpf/tethering 2021-02-11 17:45:06 -08:00
nfc.te Add sepolicy to allow read/write nfc snoop log data 2020-09-24 17:36:07 +08:00
notify_traceur.te
odrefresh.te SELinux policy for on-device signing binary. 2021-02-03 16:15:48 +01:00
odsign.te Allow on-device signing daemon to talk to keystore. 2021-02-04 11:56:24 +01:00
otapreopt_chroot.te Temporarily allow otapreopt_chroot to query ro.cold_boot_done prop 2020-11-10 20:38:45 +00:00
otapreopt_slot.te
perfetto.te Create directory for shell<>perfetto interaction 2020-10-13 21:27:27 +00:00
performanced.te
permissioncontroller_app.te Allow PermissonController to find app_api_service and system_api_service. 2020-12-09 11:10:06 +00:00
platform_app.te Revert "Add qemu.hw.mainkeys to system property_contexts" 2021-02-16 18:58:10 +00:00
policy_capabilities
port_contexts
postinstall.te
postinstall_dexopt.te Split user_profile_data_file label. 2020-12-11 17:35:06 +00:00
ppp.te
preloads_copy.te Ignore the denial when system_other is erased 2020-03-31 20:10:26 +08:00
preopt2cachename.te
priv_app.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
profcollectd.te Configs for profcollect system properties 2020-10-27 03:46:31 +08:00
profman.te
property.te Add sepolicy swcodec native flag namespace. 2021-02-16 09:22:16 -08:00
property_contexts Merge "Give ota.other.vbmeta_digest the proper context" 2021-02-18 04:10:37 +00:00
racoon.te
radio.te Remove exported3_radio_prop 2020-08-03 09:23:39 +00:00
recovery.te Allow snapuserd interaction in recovery and fastbootd. 2021-02-04 22:48:55 -08:00
recovery_persist.te In native coverage builds, allow all domains to access /data/misc/trace 2019-06-19 16:27:17 -07:00
recovery_refresh.te In native coverage builds, allow all domains to access /data/misc/trace 2019-06-19 16:27:17 -07:00
remote_prov_app.te SEPolicy for RemoteProvisioning App 2021-02-08 01:33:12 -08:00
roles_decl
rs.te
rss_hwm_reset.te
runas.te
runas_app.te perf_event: rules for system and simpleperf domain 2020-01-15 16:56:41 +00:00
sdcardd.te
seapp_contexts SEPolicy for RemoteProvisioning App 2021-02-08 01:33:12 -08:00
secure_element.te
security_classes Add security class keystore2_key. 2020-08-05 18:51:22 +00:00
service.te Configure sepolicy for TracingServiceProxy 2021-02-05 11:04:11 -08:00
service_contexts Adding SEPolicy for IRemotelyProvisionedComponent 2021-02-15 20:48:45 -08:00
servicemanager.te Allow servicemanager to start processes 2019-08-02 00:23:16 +00:00
sgdisk.te
shared_relro.te Make shared_relro policy private. 2021-01-05 09:48:10 +00:00
shell.te Add /data/misc/a11ytrace folder to store accessibility trace files. 2021-02-16 09:35:09 -08:00
simpleperf.te perf_event: rules for system and simpleperf domain 2020-01-15 16:56:41 +00:00
simpleperf_app_runner.te
slideshow.te
snapshotctl.te snapshotctl: allow to write stats 2020-02-14 20:51:53 +00:00
snapuserd.te Add a kernel transition to snapuserd. 2020-12-14 23:48:08 -08:00
stats.te GpuStats: sepolicy change for using new statsd puller api 2020-02-04 15:55:59 -08:00
statsd.te Selinux changes for statsd flags 2020-11-17 19:28:41 -08:00
storaged.te Allow GMS core to call dumpsys storaged 2019-12-11 12:49:04 -08:00
su.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
surfaceflinger.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
system_app.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00
system_server.te Merge "Add sepolicy swcodec native flag namespace." 2021-02-17 21:30:16 +00:00
system_server_startup.te Revert "Sepolicy: Allow system_server_startup to load dalvikcache artifacts" 2020-03-16 16:44:55 +00:00
system_suspend.te Sepolicy for dumsys suspend_control in bugreport 2020-11-23 19:04:04 -05:00
technical_debt.cil Use attributes for exclusive property owners 2020-11-30 18:34:30 +09:00
tombstoned.te Add tombstone_config_prop and move related prop 2020-07-07 14:17:40 +09:00
toolbox.te
traced.te Configure sepolicy for TracingServiceProxy 2021-02-05 11:04:11 -08:00
traced_perf.te traced_perf: allow RO tracefs access + fix neverallow 2021-01-31 16:44:00 +00:00
traced_probes.te Merge "Sepolicy for mm events trace instance" 2021-01-26 14:33:39 +00:00
traceur_app.te Cleanup mechanism for enabling perfetto daemon. 2020-06-01 11:56:03 -07:00
tzdatacheck.te
ueventd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
uncrypt.te Move system property rules to private 2020-03-18 16:46:04 +00:00
untrusted_app.te reland: untrusted_app_29: add new targetSdk domain 2020-01-22 09:47:53 +00:00
untrusted_app_25.te Untrusted_app: audit NETLINK_ROUTE bind and RTM_GETLINK 2020-12-11 14:10:19 +01:00
untrusted_app_27.te Untrusted_app: audit NETLINK_ROUTE bind and RTM_GETLINK 2020-12-11 14:10:19 +01:00
untrusted_app_29.te Untrusted_app: audit NETLINK_ROUTE bind and RTM_GETLINK 2020-12-11 14:10:19 +01:00
untrusted_app_all.te never allow untrusted apps accessing debugfs_tracing 2020-12-07 16:33:59 +08:00
update_engine.te Add sepolicy for starting the snapuserd daemon through init. 2020-11-19 21:03:30 +00:00
update_engine_common.te
update_verifier.te Move system property rules to private 2020-03-18 16:46:04 +00:00
usbd.te Move system property rules to private 2020-03-18 16:46:04 +00:00
users
vdc.te
vendor_init.te Let adbd set service.adb.tcp.port. 2020-11-06 13:08:04 -08:00
viewcompiler.te Give map permission to viewcompiler 2019-08-27 10:43:55 -07:00
virtual_touchpad.te
vold.te Allow gsid to find and binder-call vold 2020-10-23 20:30:00 +08:00
vold_prepare_subdirs.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
vr_hwc.te
vzwomatrigger_app.te Don't run vzwomatrigger_app in permissive mode 2019-12-02 09:41:54 -08:00
wait_for_keymaster.te
watchdogd.te
webview_zygote.te Permissions for odrefresh and /data/misc/apexdata/com.android.art 2021-01-13 10:38:22 +00:00
wificond.te Add wifi_hal_prop and remove exported_wifi_prop 2020-07-17 17:38:13 +09:00
wpantund.te
zygote.te sepolicy: rules for uid/pid cgroups v2 hierarchy 2021-02-11 23:40:38 +00:00