In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675
Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type). Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.
Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.
Test: Build 32-bit cuttlefish with coverage:
m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
and verify that there are no selinux denials in kernel log and
logcat.
Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
diff --git a/public/domain.te b/public/domain.te
index 6c23f6c..a914aaf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -51,6 +51,12 @@
allow domain coredump_file:dir ra_dir_perms;
')
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -847,6 +853,7 @@
# These functions are considered vndk-stable and thus must be allowed for
# all processes.
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
@@ -855,6 +862,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -873,6 +881,7 @@
-system_data_file # default label for files on /data. Covered below...
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
vendor_init
@@ -883,6 +892,7 @@
-system_data_file
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 8fe6bbe..1a95b72 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,6 +42,7 @@
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index c9ff732..c5138a9 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -75,4 +75,5 @@
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/recovery.te b/public/recovery.te
index d5d16a2..2b77bc3 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -162,9 +162,11 @@
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms;
diff --git a/public/te_macros b/public/te_macros
index cd4bf61..85783dc 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -510,6 +510,12 @@
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#