From 3d328179a17364e7bde6c496b6e99fb6601176f6 Mon Sep 17 00:00:00 2001 From: Yasuhiro Matsuda Date: Wed, 24 Jun 2015 15:24:17 +0900 Subject: [PATCH] Add SELinux settings to support tracing during boot. This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0 --- atrace.te | 24 ++++++++++++++++++++++++ file.te | 1 + file_contexts | 2 ++ property.te | 1 + property_contexts | 1 + shell.te | 8 ++++++++ 6 files changed, 37 insertions(+) create mode 100644 atrace.te diff --git a/atrace.te b/atrace.te new file mode 100644 index 000000000..61a5875e9 --- /dev/null +++ b/atrace.te @@ -0,0 +1,24 @@ +# Domain for atrace process spawned by boottrace service. +type atrace_exec, exec_type, file_type; + +userdebug_or_eng(` + + type atrace, domain; + init_daemon_domain(atrace) + + # boottrace services uses /data/misc/boottrace/categories + allow atrace boottrace_data_file:dir search; + allow atrace boottrace_data_file:file r_file_perms; + + # atrace reads the files in /sys/kernel/debug/tracing/ + allow atrace debugfs:file r_file_perms; + + # atrace sets debug.atrace.* properties + set_prop(atrace, debug_prop) + + # atrace pokes all the binder-enabled processes at startup. + binder_use(atrace) + allow atrace healthd:binder call; + allow atrace surfaceflinger:binder call; + +') diff --git a/file.te b/file.te index d3b09796e..f2fb0d7aa 100644 --- a/file.te +++ b/file.te @@ -102,6 +102,7 @@ type storage_stub_file, file_type; type adb_keys_file, file_type, data_file_type; type audio_data_file, file_type, data_file_type; type bluetooth_data_file, file_type, data_file_type; +type boottrace_data_file, file_type, data_file_type; type camera_data_file, file_type, data_file_type; type gatekeeper_data_file, file_type, data_file_type; type keychain_data_file, file_type, data_file_type; diff --git a/file_contexts b/file_contexts index 652f68058..7b65e7baa 100644 --- a/file_contexts +++ b/file_contexts @@ -140,6 +140,7 @@ # System files # /system(/.*)? u:object_r:system_file:s0 +/system/bin/atrace u:object_r:atrace_exec:s0 /system/bin/e2fsck -- u:object_r:fsck_exec:s0 /system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 @@ -242,6 +243,7 @@ # Misc data /data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 /data/misc/audio(/.*)? u:object_r:audio_data_file:s0 +/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0 /data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 /data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0 /data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0 diff --git a/property.te b/property.te index 94ae714bc..968dfd14d 100644 --- a/property.te +++ b/property.te @@ -1,6 +1,7 @@ type default_prop, property_type; type shell_prop, property_type; type debug_prop, property_type; +type persist_debug_prop, property_type; type debuggerd_prop, property_type; type dhcp_prop, property_type; type fingerprint_prop, property_type; diff --git a/property_contexts b/property_contexts index 18449108b..1583988f4 100644 --- a/property_contexts +++ b/property_contexts @@ -34,6 +34,7 @@ service.adb.root u:object_r:shell_prop:s0 service.adb.tcp.port u:object_r:shell_prop:s0 persist.audio. u:object_r:audio_prop:s0 +persist.debug. u:object_r:persist_debug_prop:s0 persist.logd. u:object_r:logd_prop:s0 persist.sys. u:object_r:system_prop:s0 persist.service. u:object_r:system_prop:s0 diff --git a/shell.te b/shell.te index 1be9eec97..28f79d6b9 100644 --- a/shell.te +++ b/shell.te @@ -55,6 +55,14 @@ set_prop(shell, powerctl_prop) # Directory read access and file write access is already granted # in domain.te. allow shell debugfs:file r_file_perms; +allow shell atrace_exec:file rx_file_perms; + +userdebug_or_eng(` + # "systrace --boot" support - allow boottrace service to run + allow shell boottrace_data_file:dir rw_dir_perms; + allow shell boottrace_data_file:file create_file_perms; + set_prop(shell, persist_debug_prop) +') # allow shell to run dmesg allow shell kernel:system syslog_read;