From 27c0aa7a425f85b9b38f4c8cc9858bfc2cb45b9c Mon Sep 17 00:00:00 2001 From: Joel Galenson <jgalenson@google.com> Date: Wed, 26 Jul 2017 16:22:50 -0700 Subject: [PATCH] Move file labeling to genfs_contexts. This should improve performance, as file_contexts is slower than genfs_contexts. Bug: 62413700 Test: Built, flashed, and booted Sailfish. Verified that the files have the correct context and that wifi, web, and atrace work. Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5 Change-Id: I9546f3af3c95e3443684ae4764881b69987611ef --- private/file_contexts | 54 ------------------------------------ private/genfs_contexts | 60 ++++++++++++++++++++++++++++++++++++++++ private/shell.te | 4 +-- private/system_server.te | 1 + public/file.te | 2 +- public/init.te | 2 +- 6 files changed, 65 insertions(+), 58 deletions(-) diff --git a/private/file_contexts b/private/file_contexts index d0efed6df..971c0801a 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -419,60 +419,6 @@ # LocalTransport (backup) uses this subtree /data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0 -############################# -# sysfs files -# -/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0 -/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 -/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 -/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0 -/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0 -/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0 -/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 -/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 -/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 -/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0 -/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 -/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 - -############################# -# debugfs files -# -/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0 - -############################# -# tracefs files -# -/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0 -/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0 -/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0 -/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0 - ############################# # asec containers /mnt/asec(/.*)? u:object_r:asec_apk_file:s0 diff --git a/private/genfs_contexts b/private/genfs_contexts index 5c5dd8938..54e9a2c40 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -48,6 +48,66 @@ genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 # sysfs labels can be set by userspace. genfscon sysfs / u:object_r:sysfs:s0 +genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0 +genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0 +genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0 +genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0 +genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0 +genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0 +genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0 +genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0 + +genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0 +genfscon debugfs /tracing u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0 +genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0 +genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0 +genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0 +genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0 + +genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0 + +genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0 + genfscon inotifyfs / u:object_r:inotify:s0 genfscon vfat / u:object_r:vfat:s0 genfscon debugfs / u:object_r:debugfs:s0 diff --git a/private/shell.te b/private/shell.te index afb1f49ba..fa196fa0c 100644 --- a/private/shell.te +++ b/private/shell.te @@ -5,8 +5,8 @@ allow shell uhid_device:chr_file rw_file_perms; # systrace support - allow atrace to run allow shell debugfs_tracing:dir r_dir_perms; -allow shell debugfs_tracing:file r_file_perms; -allow shell tracing_shell_writable:file rw_file_perms; +allow shell debugfs_tracing:file rw_file_perms; + allow shell debugfs_trace_marker:file getattr; allow shell atrace_exec:file rx_file_perms; diff --git a/private/system_server.te b/private/system_server.te index 850203bb0..fdde2953d 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -656,6 +656,7 @@ allow system_server sysfs_leds:dir r_dir_perms; # Allow WifiService to start, stop, and read wifi-specific trace events. allow system_server debugfs_tracing_instances:dir search; +allow system_server debugfs_wifi_tracing:dir search; allow system_server debugfs_wifi_tracing:file rw_file_perms; # allow system_server to exec shell on ASAN builds. Needed to run diff --git a/public/file.te b/public/file.te index 01b6cf206..cf4285b43 100644 --- a/public/file.te +++ b/public/file.te @@ -67,9 +67,9 @@ type debugfs, fs_type; type debugfs_mmc, fs_type, debugfs_type; type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; type debugfs_tracing, fs_type, debugfs_type; +type debugfs_tracing_debug, fs_type, debugfs_type; type debugfs_tracing_instances, fs_type, debugfs_type; type debugfs_wifi_tracing, fs_type, debugfs_type; -type tracing_shell_writable, fs_type, debugfs_type; type pstorefs, fs_type; type functionfs, fs_type, mlstrustedobject; type oemfs, fs_type, contextmount_type; diff --git a/public/init.te b/public/init.te index 699e641b1..b5c698e38 100644 --- a/public/init.te +++ b/public/init.te @@ -188,7 +188,7 @@ allow init dev_type:dir create_dir_perms; allow init dev_type:lnk_file create; # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on -allow init tracing_shell_writable:file w_file_perms; +allow init debugfs_tracing:file w_file_perms; # Setup and control wifi event tracing (see wifi-events.rc) allow init debugfs_tracing_instances:dir create_dir_perms; -- GitLab