label /sys/kernel/debug/tracing and remove debugfs write

am: fe12b61642 * commit 'fe12b61642a0013e04848b399e59d310926c796f': label /sys/kernel/debug/tracing and remove debugfs write
2015-12-15 00:09:57 +00:00 · 2015-12-15 00:09:57 +00:00 · ba79ddefd5
commit ba79ddefd5
parent fb34acb919 fe12b61642
7 changed files with 7 additions and 22 deletions
--- a/bootanim.te
+++ b/bootanim.te
@ -22,10 +22,6 @@ allow bootanim surfaceflinger_service:service_manager find;
 allow bootanim cgroup:dir { search write };
 allow bootanim cgroup:file w_file_perms;

-# debugfs access
-allow bootanim debugfs:dir r_dir_perms;
-allow bootanim debugfs:file w_file_perms;
-
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;

--- a/domain.te
+++ b/domain.te
@ -118,6 +118,7 @@ allow domain selinuxfs:filesystem getattr;
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
 allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;

 ###
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@ -68,15 +68,6 @@ r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
 allow domain_deprecated proc_cpuinfo:file r_file_perms;

-# debugfs access
-allow domain_deprecated debugfs:dir r_dir_perms;
-# TODO: The following line can likely be deleted. The only reason
-# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
-# write access. This was in the days before labels could be assigned
-# to individual files on debugfs
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow domain_deprecated debugfs:file w_file_perms;
-
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
--- a/file.te
+++ b/file.te
@ -39,8 +39,9 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
-type debugfs, fs_type, mlstrustedobject;
+type debugfs, fs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
--- a/1
+++ b/1
@ -330,6 +330,7 @@
 #############################
 # debugfs files
 #
+/sys/kernel/debug/tracing(/.*)?          u:object_r:debugfs_tracing:s0
 /sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0

 #############################
--- a/perfprofd.te
+++ b/perfprofd.te
@ -48,7 +48,7 @@ userdebug_or_eng(`
  allow perfprofd exec_type:file r_file_perms;

  # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs:file r_file_perms;
+  allow perfprofd debugfs_tracing:file r_file_perms;

  # simpleperf is going to execute "sleep"
  allow perfprofd toolbox_exec:file rx_file_perms;
--- a/shell.te
+++ b/shell.te
@ -69,13 +69,8 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)

 # systrace support - allow atrace to run
-# debugfs did not support labeling individual files, so we have
-# to grant read access to all of /sys/kernel/debug.
-# Directory read access and file write access is already granted
-# in domain.te.
-# TODO: Fix this now that we support labeling individual debugfs files
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow shell debugfs:file r_file_perms;
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
 allow shell atrace_exec:file rx_file_perms;

 userdebug_or_eng(`