From 88c5a130b442a3987168d3c4111871abeb4f97bd Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 3 Sep 2014 15:08:08 -0400 Subject: [PATCH] Add debug.atrace.tags.enableflags=0 to /default.prop. This ensures that the property is always set by init prior to starting any other process, which avoids the need for the bionic systrace code to try to set the property if it has not already been set to avoid the full cost of searching for an undefined property each time. See change I30ed5b377c91ca4c36568a0e647ddf95d4e4a61a for the relevant bionic code. The problem with the current bionic code is that it can trigger an attempt to set this property from any random process, which will be denied unless the process is already authorized to set debug properties. This is visible in the form of various SELinux avc: denied messages and init sys_prop: permission denied messages in dmesg output. Allowing all domains to set such properties is undesirable. Change-Id: I6d953c0c281fd72ad3eba8a479fd258023579b5b Signed-off-by: Stephen Smalley --- target/product/embedded.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/product/embedded.mk b/target/product/embedded.mk index 29d3ada92..f815bbe9a 100644 --- a/target/product/embedded.mk +++ b/target/product/embedded.mk @@ -76,6 +76,10 @@ PRODUCT_PACKAGES += \ selinux_version \ service_contexts +# Ensure that this property is always defined so that bionic_systrace.cpp +# can rely on it being initially set by init. +PRODUCT_DEFAULT_PROPERTY_OVERRIDES += \ + debug.atrace.tags.enableflags=0 PRODUCT_COPY_FILES += \ system/core/rootdir/init.usb.rc:root/init.usb.rc \