Merge "Revert "Revert "Ensure only com.android.shell can run in the shell domain."""
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 3bf1471..03ace75 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -29,6 +29,9 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
###
### Neverallow rules
###
@@ -45,7 +48,7 @@
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced {
+neverallow traced_probes {
data_file_type
-system_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@@ -53,10 +56,10 @@
-vendor_data_file
-zoneinfo_data_file
}:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced { data_file_type -zoneinfo_data_file }:file *;
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;