Merge changes from topic "user-build-traceur"

* changes: Use a whitelisting strategy for tracefs. Enable Traceur on user builds.

Merge changes from topic "user-build-traceur"
0fe4586b · Treehugger Robot · Gerrit Code Review · 4c19b3d1 · 2c8ca45d · 0fe4586b
Commit 0fe4586b authored 7 years ago by Treehugger Robot Committed by Gerrit Code Review 7 years ago
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
  # Allow atrace to access tracefs.
  allow atrace debugfs_tracing:dir r_dir_perms;
  allow atrace debugfs_tracing:file rw_file_perms;
+  allow atrace debugfs_tracing_debug:dir r_dir_perms;
  allow atrace debugfs_tracing_debug:file rw_file_perms;
  allow atrace debugfs_trace_marker:file getattr;

--- a/private/domain.te
+++ b/private/domain.te
@@ -17,6 +17,13 @@ neverallow {
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow {
+  domain
+  -init
+  -vendor_init
+  userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.
@@ -60,7 +67,7 @@ full_treble_only(`
    userdebug_or_eng(`-perfprofd')
    userdebug_or_eng(`-traced_probes')
    -shell
-    userdebug_or_eng(`-traceur_app')
+    -traceur_app
  } debugfs_tracing:file no_rw_file_perms;
  # inotifyfs

--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -14,6 +14,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
 # systrace support - allow atrace to run
 allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
 allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate storaged_exec:file rx_file_perms;

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -123,7 +123,12 @@ genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing                             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace                               u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
 genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
 genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tracing:s0
@@ -148,7 +153,6 @@ genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable    u:object_r:
 genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable     u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/block/block_rq_issue/enable         u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/block/block_rq_complete/enable      u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size                        u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/sync/enable                         u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/workqueue/enable                    u:object_r:debugfs_tracing_debug:s0
@@ -166,12 +170,62 @@ genfscon tracefs /events/ext4/ext4_sync_file_enter/enable    u:object_r:debugfs_
 genfscon tracefs /events/ext4/ext4_sync_file_exit/enable     u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/block/block_rq_issue/enable         u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /events/block/block_rq_complete/enable      u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size                        u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/enable               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/enable                  u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/enable                                   u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/enable                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/enable                           u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/enable               u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/enable                      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable    u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable      u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable             u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable            u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/enable                u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/enable       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/enable                       u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/enable                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/enable                          u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace_clock                                            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb                                         u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite                                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid                                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size                                    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable                  u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/enable                                   u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/enable                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/enable                           u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable               u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/enable                      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable    u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable      u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable             u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable            u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/enable                u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/enable       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/enable                       u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/enable                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/enable                          u:object_r:debugfs_tracing:s0
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
 genfscon sdcardfs / u:object_r:sdcardfs:s0

--- a/private/shell.te
+++ b/private/shell.te
@@ -4,18 +4,19 @@ typeattribute shell coredomain;
 allow shell uhid_device:chr_file rw_file_perms;
 # systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
 allow shell debugfs_tracing:dir r_dir_perms;
 allow shell debugfs_tracing:file rw_file_perms;
 allow shell debugfs_trace_marker:file getattr;
 allow shell atrace_exec:file rx_file_perms;
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
 userdebug_or_eng(`
  allow shell debugfs_tracing_debug:file rw_file_perms;
 ')
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
 # Run app_process.
 # XXX Transition into its own domain?
 app_domain(shell)

--- a/private/statsd.te
+++ b/private/statsd.te
@@ -86,7 +86,7 @@ neverallow {
  -statsd
  -system_app
  -system_server
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
 } stats_service:service_manager find;
 # Only statsd and the other root services in limited circumstances.

--- a/private/traceur_app.te
+++ b/private/traceur_app.te
 typeattribute traceur_app coredomain;
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
 userdebug_or_eng(`
-  app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file rw_file_perms;
  allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-  allow traceur_app trace_data_file:file create_file_perms;
-  allow traceur_app trace_data_file:dir { add_name getattr search write };
-  allow traceur_app atrace_exec:file rx_file_perms;
 ')
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app atrace_exec:file rx_file_perms;
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
--- a/public/domain.te
+++ b/public/domain.te
@@ -241,6 +241,7 @@ allow domain cgroup:file w_file_perms;
 # The reason behind this is documented in b/6513400
 allow domain debugfs:dir search;
 allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 # Filesystem access.

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -283,6 +283,6 @@ neverallow {
  domain
  -system_server
  -shell
-  userdebug_or_eng(`-traceur_app')
+  -traceur_app
  -dumpstate
 } dumpstate_service:service_manager find;
--- a/public/file.te
+++ b/public/file.te
@@ -379,7 +379,7 @@ allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
 allow cgroup_bpf tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;

--- a/public/init.te
+++ b/public/init.te
@@ -199,7 +199,7 @@ allow init {
 allow init cache_file:lnk_file r_file_perms;
 allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;

--- a/public/traceur_app.te
+++ b/public/traceur_app.te
 type traceur_app, domain;
-userdebug_or_eng(`
+allow traceur_app servicemanager:service_manager list;
-  allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
-  allow traceur_app hwservicemanager:hwservice_manager list;
-  set_prop(traceur_app, debug_prop)
+set_prop(traceur_app, debug_prop)
-  allow traceur_app {
+allow traceur_app {
-    service_manager_type
+  service_manager_type
-    -gatekeeper_service
+  -gatekeeper_service
-    -incident_service
+  -incident_service
-    -installd_service
+  -installd_service
-    -netd_service
+  -netd_service
-    -virtual_touchpad_service
+  -virtual_touchpad_service
-    -vold_service
+  -vold_service
-    -vr_hwc_service
+  -vr_hwc_service
-  }:service_manager find;
+}:service_manager find;
-  dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app service_manager_type:service_manager find;
-  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-  dontaudit traceur_app domain:binder call;
+dontaudit traceur_app domain:binder call;
-')