From 97573fdfaaf322cdc69e1db6c8b8d75ed5b3aea0 Mon Sep 17 00:00:00 2001
From: Christian Poetzsch <christian.potzsch@imgtec.com>
Date: Fri, 13 May 2016 13:36:33 +0100
Subject: [PATCH] sepolicy: add support for new tracefs

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799

Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72ac92a44089cae078c8c676eb3cedc226e)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a
---
 file.te        | 2 +-
 genfs_contexts | 1 +
 init.te        | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/file.te b/file.te
index c6b2a49e3..8b525daac 100644
--- a/file.te
+++ b/file.te
@@ -236,7 +236,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type debugfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
diff --git a/genfs_contexts b/genfs_contexts
index d3d8bfb7e..31794a1e8 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -34,6 +34,7 @@ genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
+genfscon tracefs / u:object_r:debugfs_tracing:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
 genfscon sdcardfs / u:object_r:sdcardfs:s0
diff --git a/init.te b/init.te
index d8ed8b8f8..6197c3908 100644
--- a/init.te
+++ b/init.te
@@ -108,7 +108,7 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
-- 
GitLab