From 3d328179a17364e7bde6c496b6e99fb6601176f6 Mon Sep 17 00:00:00 2001
From: Yasuhiro Matsuda <mazda@google.com>
Date: Wed, 24 Jun 2015 15:24:17 +0900
Subject: [PATCH] Add SELinux settings to support tracing during boot.

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
---
 atrace.te         | 24 ++++++++++++++++++++++++
 file.te           |  1 +
 file_contexts     |  2 ++
 property.te       |  1 +
 property_contexts |  1 +
 shell.te          |  8 ++++++++
 6 files changed, 37 insertions(+)
 create mode 100644 atrace.te

diff --git a/atrace.te b/atrace.te
new file mode 100644
index 000000000..61a5875e9
--- /dev/null
+++ b/atrace.te
@@ -0,0 +1,24 @@
+# Domain for atrace process spawned by boottrace service.
+type atrace_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+  type atrace, domain;
+  init_daemon_domain(atrace)
+
+  # boottrace services uses /data/misc/boottrace/categories
+  allow atrace boottrace_data_file:dir search;
+  allow atrace boottrace_data_file:file r_file_perms;
+
+  # atrace reads the files in /sys/kernel/debug/tracing/
+  allow atrace debugfs:file r_file_perms;
+
+  # atrace sets debug.atrace.* properties
+  set_prop(atrace, debug_prop)
+
+  # atrace pokes all the binder-enabled processes at startup.
+  binder_use(atrace)
+  allow atrace healthd:binder call;
+  allow atrace surfaceflinger:binder call;
+
+')
diff --git a/file.te b/file.te
index d3b09796e..f2fb0d7aa 100644
--- a/file.te
+++ b/file.te
@@ -102,6 +102,7 @@ type storage_stub_file, file_type;
 type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
+type boottrace_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
 type gatekeeper_data_file, file_type, data_file_type;
 type keychain_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 652f68058..7b65e7baa 100644
--- a/file_contexts
+++ b/file_contexts
@@ -140,6 +140,7 @@
 # System files
 #
 /system(/.*)?		u:object_r:system_file:s0
+/system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
 /system/bin/fsck_msdos	--	u:object_r:fsck_exec:s0
@@ -242,6 +243,7 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
+/data/misc/boottrace(/.*)?      u:object_r:boottrace_data_file:s0
 /data/misc/bluetooth(/.*)?      u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid(/.*)?      u:object_r:bluetooth_data_file:s0
 /data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
diff --git a/property.te b/property.te
index 94ae714bc..968dfd14d 100644
--- a/property.te
+++ b/property.te
@@ -1,6 +1,7 @@
 type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
+type persist_debug_prop, property_type;
 type debuggerd_prop, property_type;
 type dhcp_prop, property_type;
 type fingerprint_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 18449108b..1583988f4 100644
--- a/property_contexts
+++ b/property_contexts
@@ -34,6 +34,7 @@ service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 
 persist.audio.          u:object_r:audio_prop:s0
+persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0
diff --git a/shell.te b/shell.te
index 1be9eec97..28f79d6b9 100644
--- a/shell.te
+++ b/shell.te
@@ -55,6 +55,14 @@ set_prop(shell, powerctl_prop)
 # Directory read access and file write access is already granted
 # in domain.te.
 allow shell debugfs:file r_file_perms;
+allow shell atrace_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+  # "systrace --boot" support - allow boottrace service to run
+  allow shell boottrace_data_file:dir rw_dir_perms;
+  allow shell boottrace_data_file:file create_file_perms;
+  set_prop(shell, persist_debug_prop)
+')
 
 # allow shell to run dmesg
 allow shell kernel:system syslog_read;
-- 
GitLab