From 4ea5569f531099bc5781ae28f08d14048873ceaa Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Mon, 11 Dec 2017 16:19:23 -0800
Subject: [PATCH] Adding a traceur_app domain to remove it from shell

This CL creates a traceur_app domain with userdebug privileges akin to
what shell has with regards to being able to find most services on
device. Previously, traceur was running as shell which was an
unintentional abuse of selinux architecture.

Bug: 68126425
Test: Traceur functions outside of shell user privilege
Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
---
 private/compat/26.0/26.0.ignore.cil |  2 ++
 private/domain.te                   |  1 +
 private/seapp_contexts              |  1 +
 private/statsd.te                   |  3 ++-
 private/traceur_app.te              |  7 +++++++
 public/dumpstate.te                 | 10 ++++++++--
 public/traceur_app.te               | 21 +++++++++++++++++++++
 7 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 private/traceur_app.te
 create mode 100644 public/traceur_app.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab4a49a7b..77d1b4fc1 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
     timezone_service
     tombstoned_java_trace_socket
     tombstone_wifi_data_file
+    traceur_app
+    traceur_app_tmpfs
     update_engine_log_data_file
     vendor_init
     vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index ff7f1b3a7..1fd75bc78 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@ full_treble_only(`
     -init
     userdebug_or_eng(`-perfprofd')
     -shell
+    userdebug_or_eng(`-traceur_app')
     -vendor_init
   } debugfs_tracing:file no_rw_file_perms;
 
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc7055..76f299866 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@ neverallow user=shell domain=((?!shell).)*
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
 isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/statsd.te b/private/statsd.te
index 82691d3a3..617021af7 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@ binder_call(statsd, stats)
 ### neverallow rules
 ###
 
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
 neverallow {
   domain
   -dumpstate
@@ -60,6 +60,7 @@ neverallow {
   -statsd
   -system_app
   -system_server
+  userdebug_or_eng(`-traceur_app')
 } stats_service:service_manager find;
 
 # Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 000000000..194a28fd4
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,7 @@
+typeattribute traceur_app coredomain;
+
+userdebug_or_eng(`
+  app_domain(traceur_app);
+  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app atrace_exec:file rx_file_perms;
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5dc6894ca..dd7c1abd0 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -272,8 +272,14 @@ allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 # accessing sensitive /proc/PID files, never for using ptrace attach.
 neverallow dumpstate *:process ptrace;
 
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+  domain
+  -system_server
+  -shell
+  userdebug_or_eng(`-traceur_app')
+  -dumpstate
+} dumpstate_service:service_manager find;
 
 # Dumpstate should not be writing to any generically labeled sysfs files.
 # Create a specific label for the file type
diff --git a/public/traceur_app.te b/public/traceur_app.te
new file mode 100644
index 000000000..ab08c6260
--- /dev/null
+++ b/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+userdebug_or_eng(`
+  allow traceur_app servicemanager:service_manager list;
+  allow traceur_app hwservicemanager:hwservice_manager list;
+
+  set_prop(traceur_app, debug_prop)
+
+  allow traceur_app {
+    service_manager_type
+    -gatekeeper_service
+    -incident_service
+    -installd_service
+    -netd_service
+    -virtual_touchpad_service
+    -vold_service
+    -vr_hwc_service
+  }:service_manager find;
+
+  dontaudit traceur_app domain:binder call;
+')
-- 
GitLab