sepolicy: add support for new tracefs

Since kernel 4.1 ftrace is supported as a new separate filesystem. It gets automatically mounted by the kernel under the old path /sys/kernel/debug/tracing. Because it lives now on a separate device some sepolicy rules need to be updated. This patch is doing that. Most of the rules are created based on a conversation happened on the SELinux Android mailing list: http://comments.gmane.org/gmane.comp.security.seandroid/2799 Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common. Also note that when tracefs is auto mounted by the kernel, the kernel does not use the "mode" parameter specified to mount debugfs for tracefs. So an extra line like chmod 0755 /sys/kernel/debug/tracing is necessary in init.${ro.hardware}.rc after debugfs was mounted. Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com> (cherry picked from commit 4dafa72a) Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a

sepolicy: add support for new tracefs
97573fdf · Christian Poetzsch · Nick Kralevich · 1a5fcecc · 97573fdf · 97573fdf
Commit 97573fdf authored 8 years ago by Christian Poetzsch Committed by Nick Kralevich 8 years ago
--- a/file.te
+++ b/file.te
@@ -236,7 +236,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type debugfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -34,6 +34,7 @@ genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
+genfscon tracefs / u:object_r:debugfs_tracing:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
 genfscon sdcardfs / u:object_r:sdcardfs:s0

--- a/init.te
+++ b/init.te
@@ -108,7 +108,7 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;