Merge "Revert "Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid""
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab4a49a..77d1b4f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ traceur_app
+ traceur_app_tmpfs
update_engine_log_data_file
vendor_init
vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index ff7f1b3..1fd75bc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@
-init
userdebug_or_eng(`-perfprofd')
-shell
+ userdebug_or_eng(`-traceur_app')
-vendor_init
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc70..76f2998 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 2279c51..b059562 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -129,7 +129,6 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
rttmanager u:object_r:rttmanager_service:s0
-rttmanager2 u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
diff --git a/private/statsd.te b/private/statsd.te
index 82691d3..617021a 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@
### neverallow rules
###
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
@@ -60,6 +60,7 @@
-statsd
-system_app
-system_server
+ userdebug_or_eng(`-traceur_app')
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 0000000..194a28f
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,7 @@
+typeattribute traceur_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(traceur_app);
+ allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app atrace_exec:file rx_file_perms;
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5dc6894..dd7c1ab 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -272,8 +272,14 @@
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ userdebug_or_eng(`-traceur_app')
+ -dumpstate
+} dumpstate_service:service_manager find;
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
diff --git a/public/traceur_app.te b/public/traceur_app.te
new file mode 100644
index 0000000..ab08c62
--- /dev/null
+++ b/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+userdebug_or_eng(`
+ allow traceur_app servicemanager:service_manager list;
+ allow traceur_app hwservicemanager:hwservice_manager list;
+
+ set_prop(traceur_app, debug_prop)
+
+ allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+ }:service_manager find;
+
+ dontaudit traceur_app domain:binder call;
+')