From 35c363897dee6ab1057f071bed816ca4bff09961 Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Mon, 15 Jan 2018 16:44:04 -0800
Subject: [PATCH] Adding write permissions to traceur

Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
---
 private/adbd.te                     | 4 ++++
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 private/traceur_app.te              | 5 ++++-
 public/file.te                      | 5 +++--
 public/shell.te                     | 4 ++++
 public/traceur_app.te               | 2 ++
 7 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/private/adbd.te b/private/adbd.te
index 9dcfc816b..77c0d7377 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@ allow adbd devpts:chr_file rw_file_perms;
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
 
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
 # adb pull /data/misc/profman.
 allow adbd profman_dump_data_file:dir r_dir_perms;
 allow adbd profman_dump_data_file:file r_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 325a22a9a..7bab01214 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -79,6 +79,7 @@
     timezone_service
     tombstoned_java_trace_socket
     tombstone_wifi_data_file
+    trace_data_file
     traceur_app
     traceur_app_tmpfs
     traced
diff --git a/private/file_contexts b/private/file_contexts
index 6a94951ae..211394525 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -350,6 +350,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 194a28fd4..83c77b4cf 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@ typeattribute traceur_app coredomain;
 
 userdebug_or_eng(`
   app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app debugfs_tracing:file rw_file_perms;
+  allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+  allow traceur_app trace_data_file:file create_file_perms;
+  allow traceur_app trace_data_file:dir { add_name search write };
   allow traceur_app atrace_exec:file rx_file_perms;
 ')
diff --git a/public/file.te b/public/file.te
index d6687460c..91796c068 100644
--- a/public/file.te
+++ b/public/file.te
@@ -108,8 +108,8 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_instances, fs_type, debugfs_type;
 type debugfs_wifi_tracing, fs_type, debugfs_type;
 
@@ -244,6 +244,7 @@ type recovery_data_file, file_type, data_file_type, core_data_file_type;
 type shared_relro_file, file_type, data_file_type, core_data_file_type;
 type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
 type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/shell.te b/public/shell.te
index 719036cc9..32ad7701d 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
 
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
 # Access /data/misc/profman.
 allow shell profman_dump_data_file:dir { search getattr write remove_name };
 allow shell profman_dump_data_file:file { getattr unlink };
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ab08c6260..46826d486 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@ userdebug_or_eng(`
     -vr_hwc_service
   }:service_manager find;
 
+  dontaudit traceur_app service_manager_type:service_manager find;
+  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
   dontaudit traceur_app domain:binder call;
 ')
-- 
GitLab