Fix build.
Make all platform tyeps public to start to prevent build breakage in any devices that may have device-specific policy using these types. Future changes will need to be carefully made to ensure we properly limit types for use by non-platform policy. Test: Builds Change-Id: I7349940d5b5a57357bc7c16f66925dee1d030eb6
This commit is contained in:
parent
e082cdb559
commit
0c8ad1dc94
@ -1,24 +1,3 @@
|
||||
# Domain for atrace process spawned by boottrace service.
|
||||
type atrace_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
||||
type atrace, domain, domain_deprecated;
|
||||
init_daemon_domain(atrace)
|
||||
|
||||
# boottrace services uses /data/misc/boottrace/categories
|
||||
allow atrace boottrace_data_file:dir search;
|
||||
allow atrace boottrace_data_file:file r_file_perms;
|
||||
|
||||
# atrace reads the files in /sys/kernel/debug/tracing/
|
||||
allow atrace debugfs_tracing:file r_file_perms;
|
||||
|
||||
# atrace sets debug.atrace.* properties
|
||||
set_prop(atrace, debug_prop)
|
||||
|
||||
# atrace pokes all the binder-enabled processes at startup.
|
||||
binder_use(atrace)
|
||||
allow atrace healthd:binder call;
|
||||
allow atrace surfaceflinger:binder call;
|
||||
|
||||
')
|
||||
')
|
@ -1,59 +1,3 @@
|
||||
# perfprofd - perf profile collection daemon
|
||||
type perfprofd_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
||||
type perfprofd, domain, domain_deprecated, mlstrustedsubject;
|
||||
|
||||
init_daemon_domain(perfprofd)
|
||||
|
||||
# perfprofd needs to control CPU hot-plug in order to avoid kernel
|
||||
# perfevents problems in cases where CPU goes on/off during measurement;
|
||||
# this means read access to /sys/devices/system/cpu/possible
|
||||
# and read/write access to /sys/devices/system/cpu/cpu*/online
|
||||
allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
|
||||
|
||||
# perfprofd checks for the existence of and then invokes simpleperf;
|
||||
# simpleperf retains perfprofd domain after exec
|
||||
allow perfprofd system_file:file rx_file_perms;
|
||||
|
||||
# perfprofd reads a config file from /data/data/com.google.android.gms/files
|
||||
allow perfprofd app_data_file:file r_file_perms;
|
||||
allow perfprofd app_data_file:dir search;
|
||||
allow perfprofd self:capability { dac_override };
|
||||
|
||||
# perfprofd opens a file for writing in /data/misc/perfprofd
|
||||
allow perfprofd perfprofd_data_file:file create_file_perms;
|
||||
allow perfprofd perfprofd_data_file:dir rw_dir_perms;
|
||||
|
||||
# perfprofd uses the system log
|
||||
read_logd(perfprofd);
|
||||
write_logd(perfprofd);
|
||||
|
||||
# perfprofd inspects /sys/power/wake_unlock
|
||||
wakelock_use(perfprofd);
|
||||
|
||||
# simpleperf uses ioctl() to turn on kernel perf events measurements
|
||||
allow perfprofd self:capability sys_admin;
|
||||
|
||||
# simpleperf needs to examine /proc to collect task/thread info
|
||||
r_dir_file(perfprofd, domain)
|
||||
|
||||
# simpleperf needs to access /proc/<pid>/exec
|
||||
allow perfprofd self:capability { sys_resource sys_ptrace };
|
||||
neverallow perfprofd domain:process ptrace;
|
||||
|
||||
# simpleperf needs open/read any file that turns up in a profile
|
||||
# to see whether it has a build ID
|
||||
allow perfprofd exec_type:file r_file_perms;
|
||||
|
||||
# simpleperf examines debugfs on startup to collect tracepoint event types
|
||||
allow perfprofd debugfs_tracing:file r_file_perms;
|
||||
|
||||
# simpleperf is going to execute "sleep"
|
||||
allow perfprofd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# needed for simpleperf on some kernels
|
||||
allow perfprofd self:capability ipc_lock;
|
||||
|
||||
')
|
||||
')
|
23
public/atrace.te
Normal file
23
public/atrace.te
Normal file
@ -0,0 +1,23 @@
|
||||
# Domain for atrace process spawned by boottrace service.
|
||||
type atrace_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
||||
type atrace, domain, domain_deprecated;
|
||||
|
||||
# boottrace services uses /data/misc/boottrace/categories
|
||||
allow atrace boottrace_data_file:dir search;
|
||||
allow atrace boottrace_data_file:file r_file_perms;
|
||||
|
||||
# atrace reads the files in /sys/kernel/debug/tracing/
|
||||
allow atrace debugfs_tracing:file r_file_perms;
|
||||
|
||||
# atrace sets debug.atrace.* properties
|
||||
set_prop(atrace, debug_prop)
|
||||
|
||||
# atrace pokes all the binder-enabled processes at startup.
|
||||
binder_use(atrace)
|
||||
allow atrace healthd:binder call;
|
||||
allow atrace surfaceflinger:binder call;
|
||||
|
||||
')
|
57
public/perfprofd.te
Normal file
57
public/perfprofd.te
Normal file
@ -0,0 +1,57 @@
|
||||
# perfprofd - perf profile collection daemon
|
||||
type perfprofd_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
||||
type perfprofd, domain, domain_deprecated, mlstrustedsubject;
|
||||
|
||||
# perfprofd needs to control CPU hot-plug in order to avoid kernel
|
||||
# perfevents problems in cases where CPU goes on/off during measurement;
|
||||
# this means read access to /sys/devices/system/cpu/possible
|
||||
# and read/write access to /sys/devices/system/cpu/cpu*/online
|
||||
allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
|
||||
|
||||
# perfprofd checks for the existence of and then invokes simpleperf;
|
||||
# simpleperf retains perfprofd domain after exec
|
||||
allow perfprofd system_file:file rx_file_perms;
|
||||
|
||||
# perfprofd reads a config file from /data/data/com.google.android.gms/files
|
||||
allow perfprofd app_data_file:file r_file_perms;
|
||||
allow perfprofd app_data_file:dir search;
|
||||
allow perfprofd self:capability { dac_override };
|
||||
|
||||
# perfprofd opens a file for writing in /data/misc/perfprofd
|
||||
allow perfprofd perfprofd_data_file:file create_file_perms;
|
||||
allow perfprofd perfprofd_data_file:dir rw_dir_perms;
|
||||
|
||||
# perfprofd uses the system log
|
||||
read_logd(perfprofd);
|
||||
write_logd(perfprofd);
|
||||
|
||||
# perfprofd inspects /sys/power/wake_unlock
|
||||
wakelock_use(perfprofd);
|
||||
|
||||
# simpleperf uses ioctl() to turn on kernel perf events measurements
|
||||
allow perfprofd self:capability sys_admin;
|
||||
|
||||
# simpleperf needs to examine /proc to collect task/thread info
|
||||
r_dir_file(perfprofd, domain)
|
||||
|
||||
# simpleperf needs to access /proc/<pid>/exec
|
||||
allow perfprofd self:capability { sys_resource sys_ptrace };
|
||||
neverallow perfprofd domain:process ptrace;
|
||||
|
||||
# simpleperf needs open/read any file that turns up in a profile
|
||||
# to see whether it has a build ID
|
||||
allow perfprofd exec_type:file r_file_perms;
|
||||
|
||||
# simpleperf examines debugfs on startup to collect tracepoint event types
|
||||
allow perfprofd debugfs_tracing:file r_file_perms;
|
||||
|
||||
# simpleperf is going to execute "sleep"
|
||||
allow perfprofd toolbox_exec:file rx_file_perms;
|
||||
|
||||
# needed for simpleperf on some kernels
|
||||
allow perfprofd self:capability ipc_lock;
|
||||
|
||||
')
|
Loading…
Reference in New Issue
Block a user