From fe12b61642a0013e04848b399e59d310926c796f Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 14 Dec 2015 13:57:26 -0800
Subject: [PATCH] label /sys/kernel/debug/tracing and remove debugfs write

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
---
 bootanim.te          | 4 ----
 domain.te            | 1 +
 domain_deprecated.te | 9 ---------
 file.te              | 3 ++-
 file_contexts        | 1 +
 perfprofd.te         | 2 +-
 shell.te             | 9 ++-------
 7 files changed, 7 insertions(+), 22 deletions(-)

diff --git a/bootanim.te b/bootanim.te
index ee5bcae75..159fd9ea4 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -22,10 +22,6 @@ allow bootanim surfaceflinger_service:service_manager find;
 allow bootanim cgroup:dir { search write };
 allow bootanim cgroup:file w_file_perms;
 
-# debugfs access
-allow bootanim debugfs:dir r_dir_perms;
-allow bootanim debugfs:file w_file_perms;
-
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;
 
diff --git a/domain.te b/domain.te
index c910c7069..b60e5e048 100644
--- a/domain.te
+++ b/domain.te
@@ -118,6 +118,7 @@ allow domain selinuxfs:filesystem getattr;
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
 allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
 ###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 269fe5bbd..cd1a08c3b 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -68,15 +68,6 @@ r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
 allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
-# debugfs access
-allow domain_deprecated debugfs:dir r_dir_perms;
-# TODO: The following line can likely be deleted. The only reason
-# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
-# write access. This was in the days before labels could be assigned
-# to individual files on debugfs
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow domain_deprecated debugfs:file w_file_perms;
-
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
diff --git a/file.te b/file.te
index bab302b55..a2f2811ce 100644
--- a/file.te
+++ b/file.te
@@ -39,8 +39,9 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
-type debugfs, fs_type, mlstrustedobject;
+type debugfs, fs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
diff --git a/file_contexts b/file_contexts
index a54876727..76d514558 100644
--- a/file_contexts
+++ b/file_contexts
@@ -330,6 +330,7 @@
 #############################
 # debugfs files
 #
+/sys/kernel/debug/tracing(/.*)?          u:object_r:debugfs_tracing:s0
 /sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
 
 #############################
diff --git a/perfprofd.te b/perfprofd.te
index f76d9919a..0122c5590 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -48,7 +48,7 @@ userdebug_or_eng(`
   allow perfprofd exec_type:file r_file_perms;
 
   # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs:file r_file_perms;
+  allow perfprofd debugfs_tracing:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
   allow perfprofd toolbox_exec:file rx_file_perms;
diff --git a/shell.te b/shell.te
index 4b6acbc25..ebd702bf6 100644
--- a/shell.te
+++ b/shell.te
@@ -69,13 +69,8 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
-# debugfs did not support labeling individual files, so we have
-# to grant read access to all of /sys/kernel/debug.
-# Directory read access and file write access is already granted
-# in domain.te.
-# TODO: Fix this now that we support labeling individual debugfs files
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow shell debugfs:file r_file_perms;
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
 allow shell atrace_exec:file rx_file_perms;
 
 userdebug_or_eng(`