From 357c1617f7be659934501b8f3e422405c2c89e45 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 7 Feb 2017 10:54:20 -0800
Subject: [PATCH] Move atrace policy to private

atrace and its atrace_exec now exist only in private policy.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with atrace_current
      which is expected now that atrace cannot be referenced from
      public or vendor policy.
Bug: 31364497

Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
---
 private/atrace.te | 21 +++++++++++++++++++++
 public/atrace.te  | 23 -----------------------
 2 files changed, 21 insertions(+), 23 deletions(-)
 delete mode 100644 public/atrace.te

diff --git a/private/atrace.te b/private/atrace.te
index 7a7a4ca64..9c4f34200 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,3 +1,24 @@
+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
 userdebug_or_eng(`
+  type atrace, domain, domain_deprecated;
+
   init_daemon_domain(atrace)
+
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+
+  # atrace reads the files in /sys/kernel/debug/tracing/
+  allow atrace debugfs_tracing:file r_file_perms;
+
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
 ')
diff --git a/public/atrace.te b/public/atrace.te
deleted file mode 100644
index b4ae753f7..000000000
--- a/public/atrace.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Domain for atrace process spawned by boottrace service.
-type atrace_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-
-  type atrace, domain, domain_deprecated;
-
-  # boottrace services uses /data/misc/boottrace/categories
-  allow atrace boottrace_data_file:dir search;
-  allow atrace boottrace_data_file:file r_file_perms;
-
-  # atrace reads the files in /sys/kernel/debug/tracing/
-  allow atrace debugfs_tracing:file r_file_perms;
-
-  # atrace sets debug.atrace.* properties
-  set_prop(atrace, debug_prop)
-
-  # atrace pokes all the binder-enabled processes at startup.
-  binder_use(atrace)
-  allow atrace healthd:binder call;
-  allow atrace surfaceflinger:binder call;
-
-')
-- 
GitLab