prefetch: Add new prefetch.te selinux policy
1: Allow prefetch to enable tracing event
under /sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache
2: Store prefetch record under /metadata/prefetch/ directory
Bug: 362507272
Test: Test prefetch record/replay with enforcing mode
Change-Id: Ia3bcfd94b2f04013437abebbd57f2a5f9aaaadff
Signed-off-by: Akilesh Kailash <akailash@google.com>
diff --git a/private/prefetch.te b/private/prefetch.te
new file mode 100644
index 0000000..c7ee8b1
--- /dev/null
+++ b/private/prefetch.te
@@ -0,0 +1,27 @@
+type prefetch, coredomain, domain;
+type prefetch_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(prefetch)
+
+# Allow prefetch to start recording by enabling tracing event under
+# /sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache
+allow prefetch debugfs_tracing_instances:dir create_dir_perms;
+allow prefetch debugfs_tracing_instances:file rw_file_perms;
+
+# Allow to read/write/create/delete to storage prefetch record files
+allow prefetch metadata_file:dir search;
+allow prefetch prefetch_metadata_file:dir rw_dir_perms;
+allow prefetch prefetch_metadata_file:file create_file_perms;
+
+# Disallow other domains controlling prefetch service.
+neverallow {
+ domain
+ -init
+ -shell
+} ctl_prefetch_prop:property_service set;
+
+# Disallow other domains controlling prefetch_boot_prop.
+neverallow {
+ domain
+ -init
+} prefetch_boot_prop:property_service set;