label /sys/kernel/debug/tracing and remove debugfs write
am: fe12b61642
* commit 'fe12b61642a0013e04848b399e59d310926c796f':
label /sys/kernel/debug/tracing and remove debugfs write
This commit is contained in:
commit
ba79ddefd5
@ -22,10 +22,6 @@ allow bootanim surfaceflinger_service:service_manager find;
|
||||
allow bootanim cgroup:dir { search write };
|
||||
allow bootanim cgroup:file w_file_perms;
|
||||
|
||||
# debugfs access
|
||||
allow bootanim debugfs:dir r_dir_perms;
|
||||
allow bootanim debugfs:file w_file_perms;
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow bootanim ion_device:chr_file rw_file_perms;
|
||||
|
||||
|
@ -118,6 +118,7 @@ allow domain selinuxfs:filesystem getattr;
|
||||
# /sys/kernel/debug/tracing/trace_marker
|
||||
# The reason behind this is documented in b/6513400
|
||||
allow domain debugfs:dir search;
|
||||
allow domain debugfs_tracing:dir search;
|
||||
allow domain debugfs_trace_marker:file w_file_perms;
|
||||
|
||||
###
|
||||
|
@ -68,15 +68,6 @@ r_dir_file(domain_deprecated, cgroup)
|
||||
r_dir_file(domain_deprecated, proc_net)
|
||||
allow domain_deprecated proc_cpuinfo:file r_file_perms;
|
||||
|
||||
# debugfs access
|
||||
allow domain_deprecated debugfs:dir r_dir_perms;
|
||||
# TODO: The following line can likely be deleted. The only reason
|
||||
# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
|
||||
# write access. This was in the days before labels could be assigned
|
||||
# to individual files on debugfs
|
||||
# (b/18935184, https://android-review.googlesource.com/122130)
|
||||
allow domain_deprecated debugfs:file w_file_perms;
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
||||
allow domain_deprecated selinuxfs:file r_file_perms;
|
||||
|
3
file.te
3
file.te
@ -39,8 +39,9 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
|
||||
type vfat, sdcard_type, fs_type, mlstrustedobject;
|
||||
typealias fuse alias sdcard_internal;
|
||||
typealias vfat alias sdcard_external;
|
||||
type debugfs, fs_type, mlstrustedobject;
|
||||
type debugfs, fs_type;
|
||||
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
|
||||
type debugfs_tracing, fs_type, debugfs_type;
|
||||
type pstorefs, fs_type;
|
||||
type functionfs, fs_type;
|
||||
type oemfs, fs_type, contextmount_type;
|
||||
|
@ -330,6 +330,7 @@
|
||||
#############################
|
||||
# debugfs files
|
||||
#
|
||||
/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
|
||||
/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
|
||||
|
||||
#############################
|
||||
|
@ -48,7 +48,7 @@ userdebug_or_eng(`
|
||||
allow perfprofd exec_type:file r_file_perms;
|
||||
|
||||
# simpleperf examines debugfs on startup to collect tracepoint event types
|
||||
allow perfprofd debugfs:file r_file_perms;
|
||||
allow perfprofd debugfs_tracing:file r_file_perms;
|
||||
|
||||
# simpleperf is going to execute "sleep"
|
||||
allow perfprofd toolbox_exec:file rx_file_perms;
|
||||
|
9
shell.te
9
shell.te
@ -69,13 +69,8 @@ set_prop(shell, debug_prop)
|
||||
set_prop(shell, powerctl_prop)
|
||||
|
||||
# systrace support - allow atrace to run
|
||||
# debugfs did not support labeling individual files, so we have
|
||||
# to grant read access to all of /sys/kernel/debug.
|
||||
# Directory read access and file write access is already granted
|
||||
# in domain.te.
|
||||
# TODO: Fix this now that we support labeling individual debugfs files
|
||||
# (b/18935184, https://android-review.googlesource.com/122130)
|
||||
allow shell debugfs:file r_file_perms;
|
||||
allow shell debugfs_tracing:dir r_dir_perms;
|
||||
allow shell debugfs_tracing:file rw_file_perms;
|
||||
allow shell atrace_exec:file rx_file_perms;
|
||||
|
||||
userdebug_or_eng(`
|
||||
|
Loading…
Reference in New Issue
Block a user