Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
44826cb5 · Nick Kralevich · 5e8402df · 44826cb5 · 44826cb5 · 44826cb5
Commit 44826cb5 authored 9 years ago by Nick Kralevich
--- a/attributes
+++ b/attributes
@@ -37,6 +37,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;
+# All types use for debugfs files.
+attribute debugfs_type;
 # Attribute used for all sdcards
 attribute sdcard_type;

--- a/domain.te
+++ b/domain.te
@@ -110,6 +110,12 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
 ###
 ### neverallow rules
 ###

--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -71,6 +71,11 @@ allow domain_deprecated proc_cpuinfo:file r_file_perms;
 # debugfs access
 allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow domain_deprecated debugfs:file w_file_perms;
 # Get SELinux enforcing status.

--- a/file.te
+++ b/file.te
@@ -40,6 +40,7 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
@@ -198,6 +199,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;

--- a/file_contexts
+++ b/file_contexts
@@ -326,6 +326,11 @@
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
+#############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

--- a/init.te
+++ b/init.te
@@ -103,8 +103,8 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;

--- a/shell.te
+++ b/shell.te
@@ -69,12 +69,13 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 # systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
 # Directory read access and file write access is already granted
 # in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
 allow shell atrace_exec:file rx_file_perms;
 userdebug_or_eng(`