From 6ebcfe478d772e4533b9b6eab2e06ebf94ab16b7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 11 Feb 2017 09:36:15 -0800
Subject: [PATCH] Don't try to relabel tracing directory

Use the default filesystem label from genfs_contexts for the directory
/sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly
attempting to relabel it.

There are three cases we need to consider:

1) Old-style tracing functionality is on debugfs
2) tracing functionality is on tracefs, but mounted under debugfs
3) tracefs is mounted at /sys/kernel/tracing

For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all
processes are allowed debugfs:dir search, so having the label be debugfs
instead of debugfs_tracing will not result in any permission change.

For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing,
which is the same as it is today. The empty directory
/sys/kernel/tracing wlll retain the sysfs label, avoiding the denial
below.

For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing
will have the debugfs_tracing label, where processes are allowed search
access.

Addresses the following denial:

avc:  denied  { associate } for  pid=1 comm="init" name="tracing"
dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0
tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0

Bug: 31856701
Bug: 35197529
Test: no denials on boot
Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f
---
 private/file_contexts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/file_contexts b/private/file_contexts
index 337845649..71f1586f6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -445,7 +445,7 @@
 # debugfs files
 #
 /sys/kernel/debug/mmc0(/.*)?                            u:object_r:debugfs_mmc:s0
-/sys/kernel(/debug)?/tracing(/.*)?			u:object_r:debugfs_tracing:s0
+/sys/kernel(/debug)?/tracing/(.*)?			u:object_r:debugfs_tracing:s0
 /sys/kernel(/debug)?/tracing/trace_marker		u:object_r:debugfs_trace_marker:s0
 /sys/kernel(/debug)?/tracing/instances(/.*)?		u:object_r:debugfs_tracing_instances:s0
 /sys/kernel(/debug)?/tracing/instances/wifi/free_buffer	u:object_r:debugfs_wifi_tracing:s0
-- 
GitLab