Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

am: 44826cb5 * commit '44826cb5': Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
7fe25900 · Nick Kralevich · android-build-merger · 8e543646 · 44826cb5 · 7fe25900
Commit 7fe25900 authored 9 years ago by Nick Kralevich Committed by android-build-merger 9 years ago
--- a/attributes
+++ b/attributes
@@ -37,6 +37,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;
+# All types use for debugfs files.
+attribute debugfs_type;
 # Attribute used for all sdcards
 attribute sdcard_type;

--- a/domain.te
+++ b/domain.te
@@ -110,6 +110,12 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
 ###
 ### neverallow rules
 ###

--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -71,6 +71,11 @@ allow domain_deprecated proc_cpuinfo:file r_file_perms;
 # debugfs access
 allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow domain_deprecated debugfs:file w_file_perms;
 # Get SELinux enforcing status.

--- a/file.te
+++ b/file.te
@@ -40,6 +40,7 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
@@ -198,6 +199,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;

--- a/file_contexts
+++ b/file_contexts
@@ -326,6 +326,11 @@
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
+#############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0

--- a/init.te
+++ b/init.te
@@ -103,8 +103,8 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;

--- a/shell.te
+++ b/shell.te
@@ -69,12 +69,13 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 # systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
 # Directory read access and file write access is already granted
 # in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
 allow shell atrace_exec:file rx_file_perms;
 userdebug_or_eng(`