55e5c9b513
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.
Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
27 lines
873 B
Text
27 lines
873 B
Text
typeattribute traceur_app coredomain;
|
|
|
|
app_domain(traceur_app);
|
|
allow traceur_app debugfs_tracing:file rw_file_perms;
|
|
allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
|
|
|
|
userdebug_or_eng(`
|
|
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
allow traceur_app trace_data_file:file create_file_perms;
|
|
allow traceur_app trace_data_file:dir rw_dir_perms;
|
|
allow traceur_app atrace_exec:file rx_file_perms;
|
|
|
|
# To exec the perfetto cmdline client and pass it the trace config on
|
|
# stdint through a pipe.
|
|
allow traceur_app perfetto_exec:file rx_file_perms;
|
|
|
|
# Allow to access traced's privileged consumer socket.
|
|
unix_socket_connect(traceur_app, traced_consumer, traced)
|
|
|
|
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
|
|
|
|
# Allow Traceur to enable traced if necessary.
|
|
set_prop(traceur_app, traced_enabled_prop)
|
|
|
|
set_prop(traceur_app, debug_prop)
|