commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/traceur_app.te

diff --git a/private/traceur_app.te b/private/traceur_app.te
index a743917..4e6feff 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -24,3 +24,28 @@
 dontaudit traceur_app debugfs_tracing_debug:file audit_access;
 
 set_prop(traceur_app, debug_prop)
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+allow traceur_app {
+  service_manager_type
+  -apex_service
+  -dnsresolver_service
+  -gatekeeper_service
+  -incident_service
+  -installd_service
+  -lpdump_service
+  -mdns_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -default_android_service
+}:service_manager find;
+
+# Allow traceur_app to use atrace HAL
+hal_client_domain(traceur_app, hal_atrace)
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;