Merge "Add tests for compatible property (1/2)"
diff --git a/private/atrace.te b/private/atrace.te
index fc27517..3d7902f 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -14,6 +14,7 @@
# Allow atrace to access tracefs.
allow atrace debugfs_tracing:dir r_dir_perms;
allow atrace debugfs_tracing:file rw_file_perms;
+ allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
diff --git a/private/domain.te b/private/domain.te
index 46d3189..aa35ff9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -17,6 +17,13 @@
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
@@ -60,7 +67,7 @@
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-traced_probes')
-shell
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0eafca6..8b72457 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -14,6 +14,7 @@
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8f0d489..986e415 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,7 +123,12 @@
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@@ -148,7 +153,6 @@
genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
@@ -166,12 +170,62 @@
genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
diff --git a/private/shell.te b/private/shell.te
index 7a7ebf4..9b7235b 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,18 +4,19 @@
allow shell uhid_device:chr_file rw_file_perms;
# systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
userdebug_or_eng(`
allow shell debugfs_tracing_debug:file rw_file_perms;
')
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/statsd.te b/private/statsd.te
index a51a547..7221cba 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -86,7 +86,7 @@
-statsd
-system_app
-system_server
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 539e8bc..c9e6be1 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -1,10 +1,15 @@
typeattribute traceur_app coredomain;
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
+
userdebug_or_eng(`
- app_domain(traceur_app);
- allow traceur_app debugfs_tracing:file rw_file_perms;
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
- allow traceur_app trace_data_file:file create_file_perms;
- allow traceur_app trace_data_file:dir { add_name getattr search write };
- allow traceur_app atrace_exec:file rx_file_perms;
')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/public/domain.te b/public/domain.te
index 24514bf..b175ed4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -241,6 +241,7 @@
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
# Filesystem access.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f6e5f7..9166deb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -283,6 +283,6 @@
domain
-system_server
-shell
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
-dumpstate
} dumpstate_service:service_manager find;
diff --git a/public/file.te b/public/file.te
index f45de90..d1feb3a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -379,7 +379,7 @@
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index c3e36ea..afdc10e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,7 +199,7 @@
allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
diff --git a/public/lmkd.te b/public/lmkd.te
index f43e42a..5b6a708 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -35,6 +35,14 @@
allow lmkd proc_zoneinfo:file r_file_perms;
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 46826d4..7113fa7 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,23 +1,21 @@
type traceur_app, domain;
-userdebug_or_eng(`
- allow traceur_app servicemanager:service_manager list;
- allow traceur_app hwservicemanager:hwservice_manager list;
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
- set_prop(traceur_app, debug_prop)
+set_prop(traceur_app, debug_prop)
- allow traceur_app {
- service_manager_type
- -gatekeeper_service
- -incident_service
- -installd_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- }:service_manager find;
+allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
- dontaudit traceur_app service_manager_type:service_manager find;
- dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
- dontaudit traceur_app domain:binder call;
-')
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;