Merge "Allow system_server to update timerslack_ns for hal_audio_default" into pi-dev
diff --git a/private/atrace.te b/private/atrace.te
index 3d7902f..630935d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,28 +1,46 @@
-# Domain for atrace process spawned by boottrace service.
+# Domain for atrace process.
+# It is spawned either by traced_probes or by init for the boottrace service.
+type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type;
-userdebug_or_eng(`
- type atrace, domain, coredomain;
+# boottrace services uses /data/misc/boottrace/categories
+allow atrace boottrace_data_file:dir search;
+allow atrace boottrace_data_file:file r_file_perms;
+# Allow atrace to access tracefs.
+allow atrace debugfs_tracing:dir r_dir_perms;
+allow atrace debugfs_tracing:file rw_file_perms;
+allow atrace debugfs_trace_marker:file getattr;
+
+# atrace sets debug.atrace.* properties
+set_prop(atrace, debug_prop)
+
+# atrace pokes all the binder-enabled processes at startup with a
+# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
+
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+get_prop(atrace, hwservicemanager_prop)
+
+allow atrace {
+ service_manager_type
+ -incident_service
+ -netd_service
+ -stats_service
+ -dumpstate_service
+ -installd_service
+ -vold_service
+}:service_manager { find };
+allow atrace servicemanager:service_manager list;
+
+userdebug_or_eng(`
+ # atrace is generally invoked as a standalone binary from shell or perf
+ # daemons like Perfetto traced_probes. However, in userdebug builds, there is
+ # a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # Allow atrace to access tracefs.
- allow atrace debugfs_tracing:dir r_dir_perms;
- allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
- allow atrace debugfs_trace_marker:file getattr;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
')
diff --git a/private/bpfloader.te b/private/bpfloader.te
index fe3e648..c0b4999 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -20,7 +20,8 @@
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
-neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd } *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 62f81e2..81308db 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -4,6 +4,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( adbd_exec
+ atrace
binder_calls_stats_service
bootloader_boot_reason_prop
blank_screen
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e84cd55..5ae9e6c 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -3,7 +3,8 @@
;; previous ones. Add here to pass checkapi tests.
(typeattribute new_objects)
(typeattributeset new_objects
- ( binder_calls_stats_service
+ ( atrace
+ binder_calls_stats_service
blank_screen
blank_screen_exec
blank_screen_tmpfs
diff --git a/private/domain.te b/private/domain.te
index 614e4c7..093e302 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -61,7 +61,7 @@
# tracefs
neverallow {
coredomain
- userdebug_or_eng(`-atrace')
+ -atrace
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
diff --git a/private/netd.te b/private/netd.te
index 461d59b..281105d 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,3 +10,6 @@
# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 22746e7..46d92f7 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,6 +35,14 @@
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace);
+
+# This is needed for: path="/system/bin/linker64"
+# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow atrace traced_probes:fd use;
+
###
### Neverallow rules
###
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 608ba79..47f3bcb 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -44,7 +44,7 @@
allow dex2oat postinstall_file:dir { getattr search };
allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
+allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8221530..8881f44 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -9,7 +9,7 @@
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;