Move non-treble devices to split file_contexts am: f965a0a176
am: 2703f3eee8
Change-Id: I2130641f315522740c150f4a22f8a4fe20a9a085
diff --git a/private/atrace.te b/private/atrace.te
index 94d8483..8740b63 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -11,8 +11,11 @@
allow atrace boottrace_data_file:dir search;
allow atrace boottrace_data_file:file r_file_perms;
- # atrace reads the files in /sys/kernel/debug/tracing/
+ # Allow atrace to access tracefs.
+ allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file r_file_perms;
+ allow atrace tracing_shell_writable:file rw_file_perms;
+ allow atrace debugfs_trace_marker:file getattr;
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 43f1135..69602c3 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -190,6 +190,7 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-sdcardd
@@ -199,6 +200,7 @@
} proc:file r_file_perms;
auditallow {
domain_deprecated
+ -dumpstate
-fsck
-fsck_untrusted
-system_server
@@ -206,6 +208,7 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
+ -dumpstate
-fingerprintd
-healthd
-netd
@@ -253,7 +256,7 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
auditallow {
domain_deprecated
-appdomain
@@ -267,7 +270,21 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:lnk_file r_file_perms;
auditallow {
domain_deprecated
-appdomain
diff --git a/private/file_contexts b/private/file_contexts
index a15dcb3..c17a39d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -17,8 +17,6 @@
/charger u:object_r:rootfs:s0
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
-/sbin/e2fsdroid u:object_r:e2fs_exec:s0
-/sbin/mke2fs u:object_r:e2fs_exec:s0
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
@@ -177,6 +175,8 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -452,83 +452,6 @@
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
-# sysfs files
-#
-/sys/class/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
-/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
-/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
-/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
-/sys/fs/ext4/features(/.*)? u:object_r:sysfs_fs_ext4_features:s0
-/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
-/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
-/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
-/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
-/sys/module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-/sys/devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-
-#############################
-# debugfs files
-#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-
-#############################
-# tracefs files
-#
-/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/events/lowmemorykiller/enable u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
-/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0
-/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
-
-###########################################
-# debug-only tracing
-#
-/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
-
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
-/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
-
-#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a2d9b89..dfd8d9c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -48,6 +48,30 @@
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
diff --git a/private/shell.te b/private/shell.te
index 90bed27..6e69151 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -5,8 +5,7 @@
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file r_file_perms;
-allow shell tracing_shell_writable:file rw_file_perms;
+allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4f66ffb..e069fd2 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -137,8 +137,9 @@
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
-# Read /proc/net
+# Read /proc and /proc/net
allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
diff --git a/public/init.te b/public/init.te
index 8abad58..b21c4d0 100644
--- a/public/init.te
+++ b/public/init.te
@@ -193,7 +193,7 @@
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init tracing_shell_writable:file w_file_perms;
+allow init debugfs_tracing:file w_file_perms;
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;