Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

commit: 2c8ca45d2dd60ce40b236d7f35b41801744da0da [log] [tgz]
author: Carmen Jackson <carmenjackson@google.com> Tue Jan 30 18:14:45 2018 -0800
committer: Carmen Jackson <carmenjackson@google.com> Mon Feb 05 10:03:06 2018 -0800
tree: c59170821e7258851ca2e1b51d17e7f45e6cc58e
parent: de04528c3bb6f0c9aa405635f647b7b118d49806 [diff] [blame]
diff --git a/private/traceur_app.te b/private/traceur_app.te
index e2d55f8..c9e6be1 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te

@@ -2,6 +2,7 @@
 
 app_domain(traceur_app);
 allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
 
 userdebug_or_eng(`
   allow traceur_app debugfs_tracing_debug:file rw_file_perms;
@@ -10,3 +11,5 @@
 allow traceur_app trace_data_file:file create_file_perms;
 allow traceur_app trace_data_file:dir { add_name getattr search write };
 allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
commit	2c8ca45d2dd60ce40b236d7f35b41801744da0da	[log] [tgz]
author	Carmen Jackson <carmenjackson@google.com>	Tue Jan 30 18:14:45 2018 -0800
committer	Carmen Jackson <carmenjackson@google.com>	Mon Feb 05 10:03:06 2018 -0800
tree	c59170821e7258851ca2e1b51d17e7f45e6cc58e
parent	de04528c3bb6f0c9aa405635f647b7b118d49806 [diff] [blame]