label /sys/kernel/debug/tracing and remove debugfs write

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

bootanim.te

@@ -22,10 +22,6 @@ allow bootanim surfaceflinger_service:service_manager find;
 allow bootanim cgroup:dir { search write };
 allow bootanim cgroup:file w_file_perms;
 
-# debugfs access
-allow bootanim debugfs:dir r_dir_perms;
-allow bootanim debugfs:file w_file_perms;
-
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;
 

domain.te

@@ -118,6 +118,7 @@ allow domain selinuxfs:filesystem getattr;
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
 allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
 ###

domain_deprecated.te

@@ -68,15 +68,6 @@ r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
 allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
-# debugfs access
-allow domain_deprecated debugfs:dir r_dir_perms;
-# TODO: The following line can likely be deleted. The only reason
-# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
-# write access. This was in the days before labels could be assigned
-# to individual files on debugfs
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow domain_deprecated debugfs:file w_file_perms;
-
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;

file.te

@@ -39,8 +39,9 @@ type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
-type debugfs, fs_type, mlstrustedobject;
+type debugfs, fs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;

file_contexts

@@ -330,6 +330,7 @@
 #############################
 # debugfs files
 #
+/sys/kernel/debug/tracing(/.*)?          u:object_r:debugfs_tracing:s0
 /sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
 
 #############################

perfprofd.te

@@ -48,7 +48,7 @@ userdebug_or_eng(`
   allow perfprofd exec_type:file r_file_perms;
 
   # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs:file r_file_perms;
+  allow perfprofd debugfs_tracing:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
   allow perfprofd toolbox_exec:file rx_file_perms;

shell.te

@@ -69,13 +69,8 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
-# debugfs did not support labeling individual files, so we have
-# to grant read access to all of /sys/kernel/debug.
-# Directory read access and file write access is already granted
-# in domain.te.
-# TODO: Fix this now that we support labeling individual debugfs files
-# (b/18935184, https://android-review.googlesource.com/122130)
-allow shell debugfs:file r_file_perms;
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
 allow shell atrace_exec:file rx_file_perms;
 
 userdebug_or_eng(`