Selinux policy for bootreceiver tracing instance
Create contexts for /sys/kernel/tracing/instances/bootreceiver
Allow read access to files in this dir for system_server.
Bug: 172316664
Bug: 181778620
Test: manual runs with KFENCE enabled
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I7021a9f32b1392b9afb77294a1fd0a1be232b1f2
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3793195..835f901 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -22,6 +22,7 @@
ctl_snapuserd_prop
debugfs_kprobes
debugfs_mm_events_tracing
+ debugfs_bootreceiver_tracing
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
device_config_swcodec_native_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 21a1ae9..79b0313 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -177,6 +177,8 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
diff --git a/private/init.te b/private/init.te
index 348673b..4e8289a 100644
--- a/private/init.te
+++ b/private/init.te
@@ -83,3 +83,6 @@
# Only init can set keystore.boot_level
neverallow { -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index c0c7c16..8bee1bf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1021,6 +1021,10 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow BootReceiver to watch trace error_report events.
+allow system_server debugfs_bootreceiver_tracing:dir search;
+allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
+
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 4e17f12..243148f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -557,6 +557,9 @@
# vndservice_contexts file
type vndservice_contexts_file, file_type;
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;