Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7fe25900b4da42cf7a2ef51d2a6e5e707b4d3631^1..7fe25900b4da42cf7a2ef51d2a6e5e707b4d3631 / .
commit7fe25900b4da42cf7a2ef51d2a6e5e707b4d3631[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Dec 08 04:48:01 2015 +0000
committerandroid-build-merger <android-build-merger@google.com>Tue Dec 08 04:48:01 2015 +0000
tree5e6b7b3922d9b8238747129e842eb70f1c298d5b
parent8e5436460b8d96ef931bc1908fcee5d51c726709 [diff]
parent44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253 [diff]
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
am: 44826cb5e4

* commit '44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

diff --git a/attributes b/attributes
index 56655c1..e9f51ee 100644
--- a/attributes
+++ b/attributes

@@ -37,6 +37,9 @@
 # All types use for sysfs files.
 attribute sysfs_type;
 
+# All types use for debugfs files.
+attribute debugfs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;
 

diff --git a/domain.te b/domain.te
index 02b884f..2e38e92 100644
--- a/domain.te
+++ b/domain.te

@@ -110,6 +110,12 @@
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 8d69a7f..5fbeb60 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te

@@ -71,6 +71,11 @@
 
 # debugfs access
 allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow domain_deprecated debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.

diff --git a/file.te b/file.te
index 9251741..bab302b 100644
--- a/file.te
+++ b/file.te

@@ -40,6 +40,7 @@
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
@@ -198,6 +199,7 @@
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;

diff --git a/file_contexts b/file_contexts
index 152dfb4..075154c 100644
--- a/file_contexts
+++ b/file_contexts

@@ -327,6 +327,11 @@
 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
 
 #############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
+
+#############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
 /mnt/asec/[^/]+/[^/]+\.zip  u:object_r:asec_public_file:s0

diff --git a/init.te b/init.te
index d07c5a7..464f088 100644
--- a/init.te
+++ b/init.te

@@ -103,8 +103,8 @@
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
 

diff --git a/shell.te b/shell.te
index 06d08a8..cc2783c 100644
--- a/shell.te
+++ b/shell.te

@@ -69,12 +69,13 @@
 set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
 # Directory read access and file write access is already granted
 # in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
 allow shell atrace_exec:file rx_file_perms;
 
 userdebug_or_eng(`