From d807d58825574cd28aab9dc415402e63d8702881 Mon Sep 17 00:00:00 2001
From: Primiano Tucci <primiano@google.com>
Date: Fri, 16 Feb 2018 13:54:41 +0000
Subject: [PATCH] selinux: allow Perfetto traced_probes to write into kmesg
This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.
Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
---
private/traced_probes.te | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 3bf147132..03ace75bd 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -29,6 +29,9 @@ allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
###
### Neverallow rules
###
@@ -45,7 +48,7 @@ neverallow traced_probes dev_type:blk_file { read write };
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced {
+neverallow traced_probes {
data_file_type
-system_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@@ -53,10 +56,10 @@ neverallow traced {
-vendor_data_file
-zoneinfo_data_file
}:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced { data_file_type -zoneinfo_data_file }:file *;
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
--
GitLab