From de04528c3bb6f0c9aa405635f647b7b118d49806 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 9 Jan 2018 12:24:47 -0800
Subject: [PATCH] Enable Traceur on user builds.

Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448
---
 private/domain.te      |  2 +-
 private/statsd.te      |  2 +-
 private/traceur_app.te | 12 +++++++-----
 public/dumpstate.te    |  2 +-
 public/traceur_app.te  | 34 ++++++++++++++++------------------
 5 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index 46d318913..dff7957f0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -60,7 +60,7 @@ full_treble_only(`
     userdebug_or_eng(`-perfprofd')
     userdebug_or_eng(`-traced_probes')
     -shell
-    userdebug_or_eng(`-traceur_app')
+    -traceur_app
   } debugfs_tracing:file no_rw_file_perms;
 
   # inotifyfs
diff --git a/private/statsd.te b/private/statsd.te
index a51a547a8..7221cba60 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -86,7 +86,7 @@ neverallow {
   -statsd
   -system_app
   -system_server
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
 } stats_service:service_manager find;
 
 # Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 539e8bc5b..e2d55f89e 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -1,10 +1,12 @@
 typeattribute traceur_app coredomain;
 
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+
 userdebug_or_eng(`
-  app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file rw_file_perms;
   allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-  allow traceur_app trace_data_file:file create_file_perms;
-  allow traceur_app trace_data_file:dir { add_name getattr search write };
-  allow traceur_app atrace_exec:file rx_file_perms;
 ')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app atrace_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f6e5f79c..9166deba8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -283,6 +283,6 @@ neverallow {
   domain
   -system_server
   -shell
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
   -dumpstate
 } dumpstate_service:service_manager find;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 46826d486..7113fa7ce 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,23 +1,21 @@
 type traceur_app, domain;
 
-userdebug_or_eng(`
-  allow traceur_app servicemanager:service_manager list;
-  allow traceur_app hwservicemanager:hwservice_manager list;
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
 
-  set_prop(traceur_app, debug_prop)
+set_prop(traceur_app, debug_prop)
 
-  allow traceur_app {
-    service_manager_type
-    -gatekeeper_service
-    -incident_service
-    -installd_service
-    -netd_service
-    -virtual_touchpad_service
-    -vold_service
-    -vr_hwc_service
-  }:service_manager find;
+allow traceur_app {
+  service_manager_type
+  -gatekeeper_service
+  -incident_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 
-  dontaudit traceur_app service_manager_type:service_manager find;
-  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-  dontaudit traceur_app domain:binder call;
-')
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
-- 
GitLab