Add SELinux settings to support tracing during boot.

This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

Add SELinux settings to support tracing during boot.
This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
3d328179 · Yasuhiro Matsuda · 1de9c492 · 3d328179 · 3d328179 · 3d328179
Commit 3d328179 authored 9 years ago by Yasuhiro Matsuda
--- a/atrace.te
+++ b/atrace.te
+# Domain for atrace process spawned by boottrace service.
+type atrace_exec, exec_type, file_type;
+userdebug_or_eng(`
+  type atrace, domain;
+  init_daemon_domain(atrace)
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+  # atrace reads the files in /sys/kernel/debug/tracing/
+  allow atrace debugfs:file r_file_perms;
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
+')
--- a/file.te
+++ b/file.te
@@ -102,6 +102,7 @@ type storage_stub_file, file_type;
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
+type boottrace_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type gatekeeper_data_file, file_type, data_file_type;
 type keychain_data_file, file_type, data_file_type;

--- a/file_contexts
+++ b/file_contexts
@@ -140,6 +140,7 @@
 # System files
 #
 /system(/.*)?		u:object_r:system_file:s0
+/system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
 /system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0
@@ -242,6 +243,7 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
+/data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0

--- a/property.te
+++ b/property.te
 type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
+type persist_debug_prop, property_type;
 type debuggerd_prop, property_type;
 type dhcp_prop, property_type;
 type fingerprint_prop, property_type;

--- a/property_contexts
+++ b/property_contexts
@@ -34,6 +34,7 @@ service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 persist.audio.          u:object_r:audio_prop:s0
+persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0

--- a/shell.te
+++ b/shell.te
@@ -55,6 +55,14 @@ set_prop(shell, powerctl_prop)
 # Directory read access and file write access is already granted
 # in domain.te.
 allow shell debugfs:file r_file_perms;
+allow shell atrace_exec:file rx_file_perms;
+userdebug_or_eng(`
+  # "systrace --boot" support - allow boottrace service to run
+  allow shell boottrace_data_file:dir rw_dir_perms;
+  allow shell boottrace_data_file:file create_file_perms;
+  set_prop(shell, persist_debug_prop)
+')
 # allow shell to run dmesg
 allow shell kernel:system syslog_read;