commit aab7a738680d6d24ea321e9289e784601bd23103
author Kalesh Singh <kaleshsingh@google.com> Fri Jan 15 11:12:56 2021 -0500
committer Kalesh Singh <kaleshsingh@google.com> Mon Jan 25 12:01:27 2021 -0500
tree 2fa2e4851ef0f62e268eca4d931e5396ccad756e
parent 51872d888d2d3c02b0e078b3171354b23bc88911

Sepolicy for mm events trace instance

Allow traced_probes read write access to configure
mm_events trace instance and poll trace_pipe_raw

Bug: 155928119
Test: No denials in logcat
Change-Id: Ib65ab2e7be8daa6b8c412ffea909072583db7002

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index dce98c3..d86e658 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -13,6 +13,7 @@
     cgroup_v2
     ctl_snapuserd_prop
     debugfs_kprobes
+    debugfs_mm_events_tracing
     device_config_profcollect_native_boot_prop
     device_state_service
     dm_user_device

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 74a8434..bfb2412 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -168,6 +168,8 @@
 
 genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
 genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/mm_events         u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events                 u:object_r:debugfs_mm_events_tracing:s0
 genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tracing:s0
 genfscon tracefs /instances/wifi                      u:object_r:debugfs_wifi_tracing:s0
 genfscon debugfs /tracing/trace_marker                u:object_r:debugfs_trace_marker:s0

private/traced_probes.te

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 9da4d94..78b8843 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -16,6 +16,11 @@
 allow traced_probes debugfs_trace_marker:file getattr;
 allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
 
+# Allow traced_probes to access mm_events trace instance
+allow traced_probes debugfs_tracing_instances:dir search;
+allow traced_probes debugfs_mm_events_tracing:dir search;
+allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
+
 # TODO(primiano): temporarily I/O tracing categories are still
 # userdebug only until we nail down the denylist/allowlist.
 userdebug_or_eng(`
@@ -134,3 +139,4 @@
 # Only init is allowed to enter the traced_probes domain via exec()
 neverallow { domain -init } traced_probes:process transition;
 neverallow * traced_probes:process dyntransition;
+

public/file.te

diff --git a/public/file.te b/public/file.te
index 404e1d4..e5898bd 100644
--- a/public/file.te
+++ b/public/file.te
@@ -136,6 +136,7 @@
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;