Adding a traceur_app domain to remove it from shell
This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.
Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab4a49a..77d1b4f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ traceur_app
+ traceur_app_tmpfs
update_engine_log_data_file
vendor_init
vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index ff7f1b3..1fd75bc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@
-init
userdebug_or_eng(`-perfprofd')
-shell
+ userdebug_or_eng(`-traceur_app')
-vendor_init
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc70..76f2998 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/statsd.te b/private/statsd.te
index 82691d3..617021a 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@
### neverallow rules
###
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
@@ -60,6 +60,7 @@
-statsd
-system_app
-system_server
+ userdebug_or_eng(`-traceur_app')
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 0000000..194a28f
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,7 @@
+typeattribute traceur_app coredomain;
+
+userdebug_or_eng(`
+ app_domain(traceur_app);
+ allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app atrace_exec:file rx_file_perms;
+')