From 2d6942d397f446fe080d6c97c21235124900f7d5 Mon Sep 17 00:00:00 2001
From: Vishnu Nair <vishnun@google.com>
Date: Fri, 17 Nov 2017 08:23:32 -0800
Subject: [PATCH] Add window trace files SELinux policy rules

- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c
---
 private/compat/26.0/26.0.ignore.cil | 3 ++-
 private/dumpstate.te                | 6 ++++++
 private/file.te                     | 3 +++
 private/file_contexts               | 1 +
 private/surfaceflinger.te           | 6 ++++++
 private/system_server.te            | 4 ++++
 6 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index fdc672abc..edbf97ff5 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -42,7 +42,8 @@
     wpantund
     wpantund_exec
     wpantund_service
-    wpantund_tmpfs))
+    wpantund_tmpfs
+    wm_trace_data_file))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f81526c..24a57de96 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -18,6 +18,12 @@ allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate storaged_exec:file rx_file_perms;
 
+# /data/misc/wmtrace for wm traces
+userdebug_or_eng(`
+  allow dumpstate wm_trace_data_file:dir r_dir_perms;
+  allow dumpstate wm_trace_data_file:file r_file_perms;
+')
+
 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)
 
diff --git a/private/file.te b/private/file.te
index 6994202ea..5b4dbc804 100644
--- a/private/file.te
+++ b/private/file.te
@@ -3,3 +3,6 @@ type config_gz, fs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/wmtrace for wm traces
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 05c36c3d1..b93168b3e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -390,6 +390,7 @@
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
+/data/misc/wmtrace(/.*)?        u:object_r:wm_trace_data_file:s0
 # TODO(calin) label profile reference differently so that only
 # profman run as a special user can write to them
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index ed67597e6..5fbd9ab26 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -52,6 +52,12 @@ set_prop(surfaceflinger, ctl_bootanim_prop)
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger app_data_file:file { read write };
 
+# Allow writing surface traces to /data/misc/wmtrace.
+userdebug_or_eng(`
+  allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
+  allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
+')
+
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };
 
diff --git a/private/system_server.te b/private/system_server.te
index d2a0c5e28..e2b57204f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -641,6 +641,10 @@ userdebug_or_eng(`
 
   # Allow system server to read dmesg
   allow system_server kernel:system syslog_read;
+
+  # Allow writing window traces in /data/misc/wmtrace.
+  allow system_server wm_trace_data_file:dir rw_dir_perms;
+  allow system_server wm_trace_data_file:file { getattr setattr create w_file_perms };
 ')
 
 # For AppFuse.
-- 
GitLab