Adding write permissions to traceur

Fixing denials that stopped traceur from being able to write to debugfs_tracing. Also cleaning up general find denials for services that traceur doesn't have permission to access. Additionally, labeling /data/local/trace as a trace_data_file in order to give traceur a UX friendly area to write its traces to now that it will no longer be a shell user. It will be write/readable by traceur, and deletable/readable by shell. Test: Traceur functionality is not being blocked by selinux policy Bug: 68126425 Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36

Adding write permissions to traceur
35c36389 · Max Bires · 8bda3dfa · 35c36389 · 35c36389 · 35c36389
Commit 35c36389 authored 7 years ago by Max Bires
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@ allow adbd devpts:chr_file rw_file_perms;
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
 # adb pull /data/misc/profman.
 allow adbd profman_dump_data_file:dir r_dir_perms;
 allow adbd profman_dump_data_file:file r_file_perms;

--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -79,6 +79,7 @@
    timezone_service
    tombstoned_java_trace_socket
    tombstone_wifi_data_file
+    trace_data_file
    traceur_app
    traceur_app_tmpfs
    traced

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -350,6 +350,7 @@
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/traces(/.*)?	u:object_r:trace_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0

--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@ typeattribute traceur_app coredomain;
 userdebug_or_eng(`
  app_domain(traceur_app);
-  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app debugfs_tracing:file rw_file_perms;
+  allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+  allow traceur_app trace_data_file:file create_file_perms;
+  allow traceur_app trace_data_file:dir { add_name search write };
  allow traceur_app atrace_exec:file rx_file_perms;
 ')
--- a/public/file.te
+++ b/public/file.te
@@ -108,8 +108,8 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_instances, fs_type, debugfs_type;
 type debugfs_wifi_tracing, fs_type, debugfs_type;
@@ -244,6 +244,7 @@ type recovery_data_file, file_type, data_file_type, core_data_file_type;
 type shared_relro_file, file_type, data_file_type, core_data_file_type;
 type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
 type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;

--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
 # Access /data/misc/profman.
 allow shell profman_dump_data_file:dir { search getattr write remove_name };
 allow shell profman_dump_data_file:file { getattr unlink };

--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@ userdebug_or_eng(`
    -vr_hwc_service
  }:service_manager find;
+  dontaudit traceur_app service_manager_type:service_manager find;
+  dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
  dontaudit traceur_app domain:binder call;
 ')