Add SELinux settings to support tracing during boot.
This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
This commit is contained in:
parent
1de9c492d1
commit
3d328179a1
24
atrace.te
Normal file
24
atrace.te
Normal file
@ -0,0 +1,24 @@
|
||||
# Domain for atrace process spawned by boottrace service.
|
||||
type atrace_exec, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
||||
type atrace, domain;
|
||||
init_daemon_domain(atrace)
|
||||
|
||||
# boottrace services uses /data/misc/boottrace/categories
|
||||
allow atrace boottrace_data_file:dir search;
|
||||
allow atrace boottrace_data_file:file r_file_perms;
|
||||
|
||||
# atrace reads the files in /sys/kernel/debug/tracing/
|
||||
allow atrace debugfs:file r_file_perms;
|
||||
|
||||
# atrace sets debug.atrace.* properties
|
||||
set_prop(atrace, debug_prop)
|
||||
|
||||
# atrace pokes all the binder-enabled processes at startup.
|
||||
binder_use(atrace)
|
||||
allow atrace healthd:binder call;
|
||||
allow atrace surfaceflinger:binder call;
|
||||
|
||||
')
|
1
file.te
1
file.te
@ -102,6 +102,7 @@ type storage_stub_file, file_type;
|
||||
type adb_keys_file, file_type, data_file_type;
|
||||
type audio_data_file, file_type, data_file_type;
|
||||
type bluetooth_data_file, file_type, data_file_type;
|
||||
type boottrace_data_file, file_type, data_file_type;
|
||||
type camera_data_file, file_type, data_file_type;
|
||||
type gatekeeper_data_file, file_type, data_file_type;
|
||||
type keychain_data_file, file_type, data_file_type;
|
||||
|
@ -140,6 +140,7 @@
|
||||
# System files
|
||||
#
|
||||
/system(/.*)? u:object_r:system_file:s0
|
||||
/system/bin/atrace u:object_r:atrace_exec:s0
|
||||
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
|
||||
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
|
||||
@ -242,6 +243,7 @@
|
||||
# Misc data
|
||||
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
|
||||
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
|
||||
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
|
||||
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
|
||||
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
|
||||
|
@ -1,6 +1,7 @@
|
||||
type default_prop, property_type;
|
||||
type shell_prop, property_type;
|
||||
type debug_prop, property_type;
|
||||
type persist_debug_prop, property_type;
|
||||
type debuggerd_prop, property_type;
|
||||
type dhcp_prop, property_type;
|
||||
type fingerprint_prop, property_type;
|
||||
|
@ -34,6 +34,7 @@ service.adb.root u:object_r:shell_prop:s0
|
||||
service.adb.tcp.port u:object_r:shell_prop:s0
|
||||
|
||||
persist.audio. u:object_r:audio_prop:s0
|
||||
persist.debug. u:object_r:persist_debug_prop:s0
|
||||
persist.logd. u:object_r:logd_prop:s0
|
||||
persist.sys. u:object_r:system_prop:s0
|
||||
persist.service. u:object_r:system_prop:s0
|
||||
|
8
shell.te
8
shell.te
@ -55,6 +55,14 @@ set_prop(shell, powerctl_prop)
|
||||
# Directory read access and file write access is already granted
|
||||
# in domain.te.
|
||||
allow shell debugfs:file r_file_perms;
|
||||
allow shell atrace_exec:file rx_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# "systrace --boot" support - allow boottrace service to run
|
||||
allow shell boottrace_data_file:dir rw_dir_perms;
|
||||
allow shell boottrace_data_file:file create_file_perms;
|
||||
set_prop(shell, persist_debug_prop)
|
||||
')
|
||||
|
||||
# allow shell to run dmesg
|
||||
allow shell kernel:system syslog_read;
|
||||
|
Loading…
Reference in New Issue
Block a user