Skip to content
Snippets Groups Projects
Commit c2e249dd authored by Primiano Tucci's avatar Primiano Tucci Committed by Android (Google) Code Review
Browse files

Merge "SELinux changes for I/O tracing." into pi-dev

parents aebeae81 8d819055
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/genfs_contexts
+ 20
20
View file @ c2e249dd
......@@ -146,16 +146,16 @@ genfscon debugfs /tracing/events/regulator/ u:object_r:
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
......@@ -163,16 +163,16 @@ genfscon tracefs /events/regulator/ u:object_r:debugfs_
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
......
private/traced_probes.te
+ 24
2
View file @ c2e249dd
# Perfetto tracing probes, has tracefs access.
type traced_probes, domain, coredomain;
type traced_probes_exec, exec_type, file_type;
# Allow init to exec the daemon.
......@@ -35,6 +34,21 @@ allow traced_probes kmsg_device:chr_file write;
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
# Allow traced_probes to list some of the data partition.
allow traced_probes self:capability dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read };
allow traced_probes dalvikcache_data_file:dir { getattr open read };
userdebug_or_eng(`
allow traced_probes system_data_file:dir { getattr open read };
')
allow traced_probes system_app_data_file:dir { getattr open read };
allow traced_probes backup_data_file:dir { getattr open read };
allow traced_probes bootstat_data_file:dir { getattr open read };
allow traced_probes update_engine_data_file:dir { getattr open read };
allow traced_probes update_engine_log_data_file:dir { getattr open read };
allow traced_probes user_profile_data_file:dir { getattr open read };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
......@@ -61,13 +75,21 @@ neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
-apk_data_file
-dalvikcache_data_file
-system_data_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr search };
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
......
public/domain.te
+ 4
1
View file @ c2e249dd
......@@ -1132,6 +1132,9 @@ neverallow {
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app
......@@ -1323,7 +1326,7 @@ neverallow {
-vold_prepare_subdirs
-zygote
} self:capability dac_override;
neverallow domain self:capability dac_read_search;
neverallow { domain -traced_probes } self:capability dac_read_search;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
......
public/traced_probes.te 0 → 100644
+ 1
0
View file @ c2e249dd
type traced_probes, domain, coredomain;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment