Enable Traceur on user builds.
Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448
diff --git a/private/domain.te b/private/domain.te
index 46d3189..dff7957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -60,7 +60,7 @@
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-traced_probes')
-shell
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/statsd.te b/private/statsd.te
index a51a547..7221cba 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -86,7 +86,7 @@
-statsd
-system_app
-system_server
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
} stats_service:service_manager find;
# Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 539e8bc..e2d55f8 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -1,10 +1,12 @@
typeattribute traceur_app coredomain;
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+
userdebug_or_eng(`
- app_domain(traceur_app);
- allow traceur_app debugfs_tracing:file rw_file_perms;
allow traceur_app debugfs_tracing_debug:file rw_file_perms;
- allow traceur_app trace_data_file:file create_file_perms;
- allow traceur_app trace_data_file:dir { add_name getattr search write };
- allow traceur_app atrace_exec:file rx_file_perms;
')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app atrace_exec:file rx_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f6e5f7..9166deb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -283,6 +283,6 @@
domain
-system_server
-shell
- userdebug_or_eng(`-traceur_app')
+ -traceur_app
-dumpstate
} dumpstate_service:service_manager find;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 46826d4..7113fa7 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,23 +1,21 @@
type traceur_app, domain;
-userdebug_or_eng(`
- allow traceur_app servicemanager:service_manager list;
- allow traceur_app hwservicemanager:hwservice_manager list;
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
- set_prop(traceur_app, debug_prop)
+set_prop(traceur_app, debug_prop)
- allow traceur_app {
- service_manager_type
- -gatekeeper_service
- -incident_service
- -installd_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- }:service_manager find;
+allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
- dontaudit traceur_app service_manager_type:service_manager find;
- dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
- dontaudit traceur_app domain:binder call;
-')
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;