From 7ad383f1810d2f8efc9556c336d69030a6082789 Mon Sep 17 00:00:00 2001 From: Florian Mayer <fmayer@google.com> Date: Tue, 10 Apr 2018 16:12:54 +0100 Subject: [PATCH] Expose filesystem read events in SELinux policy. Without this, we only have visibility into writes. Looking at traces, we realised for many of the files we care about (.dex, .apk) most filesystem events are actually reads. See aosp/661782 for matching filesystem permission change. Bug: 73625480 Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298 --- private/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/private/genfs_contexts b/private/genfs_contexts index 3d2528d31..f2b969902 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -146,12 +146,17 @@ genfscon debugfs /tracing/events/regulator/ u:object_r: genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 +genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 @@ -163,12 +168,17 @@ genfscon tracefs /events/regulator/ u:object_r:debugfs_ genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0 genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0 +genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0 +genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0 genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0 -- GitLab