Skip to content
Snippets Groups Projects
Commit d807d588 authored by Primiano Tucci's avatar Primiano Tucci
Browse files

selinux: allow Perfetto traced_probes to write into kmesg 

This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.

Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
parent f7ec4138
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/traced_probes.te
+ 8
5
View file @ d807d588
...@@ -29,6 +29,9 @@ allow traced_probes self:global_capability_class_set { sys_nice }; ...@@ -29,6 +29,9 @@ allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access # Allow procfs access
r_dir_file(traced_probes, domain) r_dir_file(traced_probes, domain)
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
### ###
### Neverallow rules ### Neverallow rules
### ###
...@@ -45,7 +48,7 @@ neverallow traced_probes dev_type:blk_file { read write }; ...@@ -45,7 +48,7 @@ neverallow traced_probes dev_type:blk_file { read write };
neverallow traced_probes domain:process ptrace; neverallow traced_probes domain:process ptrace;
# Disallows access to /data files. # Disallows access to /data files.
neverallow traced { neverallow traced_probes {
data_file_type data_file_type
-system_data_file -system_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
...@@ -53,10 +56,10 @@ neverallow traced { ...@@ -53,10 +56,10 @@ neverallow traced {
-vendor_data_file -vendor_data_file
-zoneinfo_data_file -zoneinfo_data_file
}:dir *; }:dir *;
neverallow traced system_data_file:dir ~{ getattr search }; neverallow traced_probes system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file *; neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec() # Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition; neverallow { domain -init } traced_probes:process transition;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment