Move atrace policy to private
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
diff --git a/private/atrace.te b/private/atrace.te
index 7a7a4ca..9c4f342 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,3 +1,24 @@
+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
userdebug_or_eng(`
+ type atrace, domain, domain_deprecated;
+
init_daemon_domain(atrace)
+
+ # boottrace services uses /data/misc/boottrace/categories
+ allow atrace boottrace_data_file:dir search;
+ allow atrace boottrace_data_file:file r_file_perms;
+
+ # atrace reads the files in /sys/kernel/debug/tracing/
+ allow atrace debugfs_tracing:file r_file_perms;
+
+ # atrace sets debug.atrace.* properties
+ set_prop(atrace, debug_prop)
+
+ # atrace pokes all the binder-enabled processes at startup.
+ binder_use(atrace)
+ allow atrace healthd:binder call;
+ allow atrace surfaceflinger:binder call;
')