On 04/19/2016 12:32 PM, YongQin Liu wrote: > Hi, Stephen > > Thanks for you suggestions! > > With hack on selinux_is_sblabel_mnt(), and sepolicy rules change here: > https://android-review.googlesource.com/#/c/216878/ > > I can make there no avc denials in dmesg. > but if we support tracefs in the sepolicy rules of AOSP, then kernel is > required to be 4.1 and later, > or tracefs feature porting to kernel before that, which seems not flexible. > > is there a better way to make one copy sepolicy rules in AOSP to support > both kernel versions before 4.1 and later?
Your policy change also loses the distinction between trace_marker and other files under tracing. The distinction is important because we only want trace_marker to be writable by all, not the rest of the tracefs files. The only actual change required to sepolicy is adding a line to genfs_contexts; you do not need to change the existing types, allow rules, or file_contexts entries. Just add: genfscon tracefs / u:object_r:debugfs_tracing:s0 to genfs_contexts. Then it should work seamlessly for any kernel version. As a naming cleanup, one could rename debugfs_tracing to tracefs and debugfs_trace_marker to tracefs_trace_marker, but that's not really necessary. One could also provide typealias statements to provide compatibility with the old names for device policies. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
