Adding a traceur_app domain to remove it from shell

This CL creates a traceur_app domain with userdebug privileges akin to what shell has with regards to being able to find most services on device. Previously, traceur was running as shell which was an unintentional abuse of selinux architecture. Bug: 68126425 Test: Traceur functions outside of shell user privilege Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1

Adding a traceur_app domain to remove it from shell
4ea5569f · Max Bires · 756dd574 · 4ea5569f · 4ea5569f · 4ea5569f
Commit 4ea5569f authored 7 years ago by Max Bires
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
    timezone_service
    tombstoned_java_trace_socket
    tombstone_wifi_data_file
+    traceur_app
+    traceur_app_tmpfs
    update_engine_log_data_file
    vendor_init
    vold_prepare_subdirs

--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@ full_treble_only(`
    -init
    userdebug_or_eng(`-perfprofd')
    -shell
+    userdebug_or_eng(`-traceur_app')
    -vendor_init
  } debugfs_tracing:file no_rw_file_perms;

--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@ neverallow user=shell domain=((?!shell).)*
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file

--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@ binder_call(statsd, stats)
 ### neverallow rules
 ###
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
 neverallow {
  domain
  -dumpstate
@@ -60,6 +60,7 @@ neverallow {
  -statsd
  -system_app
  -system_server
+  userdebug_or_eng(`-traceur_app')
 } stats_service:service_manager find;
 # Only statsd and the other root services in limited circumstances.

--- a/private/traceur_app.te
+++ b/private/traceur_app.te
+typeattribute traceur_app coredomain;
+userdebug_or_eng(`
+  app_domain(traceur_app);
+  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app atrace_exec:file rx_file_perms;
+')
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -272,8 +272,14 @@ allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 # accessing sensitive /proc/PID files, never for using ptrace attach.
 neverallow dumpstate *:process ptrace;
-# only system_server, dumpstate and shell can find the dumpstate service
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+neverallow {
+  domain
+  -system_server
+  -shell
+  userdebug_or_eng(`-traceur_app')
+  -dumpstate
+} dumpstate_service:service_manager find;
 # Dumpstate should not be writing to any generically labeled sysfs files.
 # Create a specific label for the file type

--- a/public/traceur_app.te
+++ b/public/traceur_app.te
+type traceur_app, domain;
+userdebug_or_eng(`
+  allow traceur_app servicemanager:service_manager list;
+  allow traceur_app hwservicemanager:hwservice_manager list;
+  set_prop(traceur_app, debug_prop)
+  allow traceur_app {
+    service_manager_type
+    -gatekeeper_service
+    -incident_service
+    -installd_service
+    -netd_service
+    -virtual_touchpad_service
+    -vold_service
+    -vr_hwc_service
+  }:service_manager find;
+  dontaudit traceur_app domain:binder call;
+')