Add SELinux policies for traced readonly properties
Added a traced config property context for all traced sysprops that
are readonly. Added the ro.traced.hypervisor system property to this
context.
Test: build Android
Bug: 391958400
Change-Id: I145d882eb54268d88b0c4a107c26cc746365e22c
diff --git a/private/property.te b/private/property.te
index 1ac1230..cd87e7a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -57,6 +57,7 @@
system_internal_prop(system_adbd_prop)
system_internal_prop(system_audio_config_prop)
system_internal_prop(timezone_metadata_prop)
+system_internal_prop(traced_config_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(traced_relay_relay_port_prop)
system_internal_prop(uprobestats_start_with_config_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 0f86c75..0ed1781 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -89,6 +89,7 @@
persist.traced.enable u:object_r:traced_enabled_prop:s0
traced.lazy. u:object_r:traced_lazy_prop:s0
traced_relay.relay_port u:object_r:traced_relay_relay_port_prop:s0
+ro.traced. u:object_r:traced_config_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
uprobestats.start_with_config u:object_r:uprobestats_start_with_config_prop:s0
diff --git a/private/traced.te b/private/traced.te
index 1aaf0d1..619a55b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -56,6 +56,8 @@
# Allow traced to detect if a process is frozen (b/381089063).
allow traced cgroup_v2:file r_file_perms;
+# Allow traced/traced_relay to read the traced config properties.
+get_prop(traced, traced_config_prop)
# Allow traced_relay to read the relay port being used
get_prop(traced, traced_relay_relay_port_prop)