never allow untrusted apps accessing debugfs_tracing
debugfs_tracing can only be accessed by tracing tools provided by the
platform.
Bug: 172028429
Test: boot with no relevant log showing up
Change-Id: I412dd51a1b268061c5a972488b8bc4a0ee456601
diff --git a/private/platform_app.te b/private/platform_app.te
index 8163d15..7bf14c8 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -93,6 +93,9 @@
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index 53c31c2..a61b946 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,6 +116,9 @@
vr_hwc_service
}:service_manager find;
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
allow system_app keystore:keystore_key {
get_state
get
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index bc90450..23ee943 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -64,6 +64,9 @@
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@@ -146,6 +149,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;