On 20 April 2016 at 00:45, Stephen Smalley <[email protected]> wrote:
> On 04/19/2016 12:32 PM, YongQin Liu wrote: > > Hi, Stephen > > > > Thanks for you suggestions! > > > > With hack on selinux_is_sblabel_mnt(), and sepolicy rules change here: > > https://android-review.googlesource.com/#/c/216878/ > > > > I can make there no avc denials in dmesg. > > but if we support tracefs in the sepolicy rules of AOSP, then kernel is > > required to be 4.1 and later, > > or tracefs feature porting to kernel before that, which seems not > flexible. > > > > is there a better way to make one copy sepolicy rules in AOSP to support > > both kernel versions before 4.1 and later? > > Your policy change also loses the distinction between trace_marker and > other files under tracing. The distinction is important because we only > want trace_marker to be writable by all, not the rest of the tracefs files. > > The only actual change required to sepolicy is adding a line to > genfs_contexts; you do not need to change the existing types, allow > rules, or file_contexts entries. Just add: > genfscon tracefs / u:object_r:debugfs_tracing:s0 > to genfs_contexts. > > Then it should work seamlessly for any kernel version. > /sys/kernel/debug/tracing/trace_marker files can not be marked as debugfs_trace_marker context, following is the output of ls -Z command: u:object_r:debugfs_tracing:s0 /sys/kernel/debug/tracing/trace_marker Thanks, Yongqin Liu > > As a naming cleanup, one could rename debugfs_tracing to tracefs and > debugfs_trace_marker to tracefs_trace_marker, but that's not really > necessary. One could also provide typealias statements to provide > compatibility with the old names for device policies. > > > -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list [email protected] <[email protected]> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
