From 38a261a82b671dadd370ae0ebdc3de36013de05d Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 16 Jun 2014 14:17:05 -0700
Subject: [PATCH] Allow all domains access to /dev/qemu_trace.

/dev/qemu_trace is used by memcheck on qemu to get memory allocation events
from all processes on the system.  Allow all domains to access this device, and
other qemu-specific devices.

Addresses the following denials:
type=1400 audit(1402674828.500:3): avc:  denied  { read write } for  pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.500:4): avc:  denied  { open } for  pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:5): avc:  denied  { read write } for  pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:6): avc:  denied  { open } for  pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:7): avc:  denied  { read write } for  pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:8): avc:  denied  { open } for  pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file

Bug: 15570479
Change-Id: I87d0976800557d73064e2da038315b0d019d7a60
---
 target/board/generic/BoardConfig.mk                 | 6 +-----
 target/board/generic/sepolicy/adbd.te               | 1 -
 target/board/generic/sepolicy/app.te                | 1 -
 target/board/generic/sepolicy/bootanim.te           | 1 -
 target/board/generic/sepolicy/domain.te             | 1 +
 target/board/generic/sepolicy/mediaserver.te        | 1 -
 target/board/generic/sepolicy/rild.te               | 1 -
 target/board/generic/sepolicy/surfaceflinger.te     | 1 -
 target/board/generic/sepolicy/system_server.te      | 1 -
 target/board/generic/sepolicy/zygote.te             | 1 -
 target/board/generic_mips/BoardConfig.mk            | 2 --
 target/board/generic_x86/BoardConfig.mk             | 8 +-------
 target/board/generic_x86/sepolicy/adbd.te           | 1 -
 target/board/generic_x86/sepolicy/app.te            | 1 -
 target/board/generic_x86/sepolicy/bootanim.te       | 1 -
 target/board/generic_x86/sepolicy/domain.te         | 1 +
 target/board/generic_x86/sepolicy/mediaserver.te    | 1 -
 target/board/generic_x86/sepolicy/rild.te           | 1 -
 target/board/generic_x86/sepolicy/surfaceflinger.te | 1 -
 target/board/generic_x86/sepolicy/system_server.te  | 1 -
 target/board/generic_x86/sepolicy/zygote.te         | 1 -
 21 files changed, 4 insertions(+), 30 deletions(-)
 delete mode 100644 target/board/generic/sepolicy/adbd.te
 delete mode 100644 target/board/generic/sepolicy/app.te
 delete mode 100644 target/board/generic/sepolicy/mediaserver.te
 delete mode 100644 target/board/generic/sepolicy/zygote.te
 delete mode 100644 target/board/generic_x86/sepolicy/adbd.te
 delete mode 100644 target/board/generic_x86/sepolicy/app.te
 delete mode 100644 target/board/generic_x86/sepolicy/bootanim.te
 delete mode 100644 target/board/generic_x86/sepolicy/mediaserver.te
 delete mode 100644 target/board/generic_x86/sepolicy/surfaceflinger.te

diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk
index 6d58b1c86..62303d6c5 100644
--- a/target/board/generic/BoardConfig.mk
+++ b/target/board/generic/BoardConfig.mk
@@ -77,17 +77,13 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
 
 BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
 BOARD_SEPOLICY_UNION += \
-        adbd.te \
-        app.te \
         bootanim.te \
         device.te \
         domain.te \
         file.te \
         file_contexts \
-        mediaserver.te \
         qemud.te \
         rild.te \
         shell.te \
         surfaceflinger.te \
-        system_server.te \
-        zygote.te
+        system_server.te
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te
deleted file mode 100644
index f65cfb3a4..000000000
--- a/target/board/generic/sepolicy/adbd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow adbd qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/app.te b/target/board/generic/sepolicy/app.te
deleted file mode 100644
index fd33453e6..000000000
--- a/target/board/generic/sepolicy/app.te
+++ /dev/null
@@ -1 +0,0 @@
-allow appdomain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te
index a5a84f9fb..d6506e11d 100644
--- a/target/board/generic/sepolicy/bootanim.te
+++ b/target/board/generic/sepolicy/bootanim.te
@@ -1,3 +1,2 @@
 allow bootanim self:process execmem;
 allow bootanim ashmem_device:chr_file execute;
-allow bootanim qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
index f0261004f..c28ca74f1 100644
--- a/target/board/generic/sepolicy/domain.te
+++ b/target/board/generic/sepolicy/domain.te
@@ -1,2 +1,3 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
+allow domain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/mediaserver.te b/target/board/generic/sepolicy/mediaserver.te
deleted file mode 100644
index 90b8cf812..000000000
--- a/target/board/generic/sepolicy/mediaserver.te
+++ /dev/null
@@ -1 +0,0 @@
-allow mediaserver qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te
index 5de171adf..e148b6c13 100644
--- a/target/board/generic/sepolicy/rild.te
+++ b/target/board/generic/sepolicy/rild.te
@@ -1,2 +1 @@
-allow rild qemu_device:chr_file rw_file_perms;
 unix_socket_connect(rild, qemud, qemud)
diff --git a/target/board/generic/sepolicy/surfaceflinger.te b/target/board/generic/sepolicy/surfaceflinger.te
index 671278919..4c354697a 100644
--- a/target/board/generic/sepolicy/surfaceflinger.te
+++ b/target/board/generic/sepolicy/surfaceflinger.te
@@ -1,3 +1,2 @@
 allow surfaceflinger self:process execmem;
 allow surfaceflinger ashmem_device:chr_file execute;
-allow surfaceflinger qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te
index ef4ce4a73..d0fb79d9b 100644
--- a/target/board/generic/sepolicy/system_server.te
+++ b/target/board/generic/sepolicy/system_server.te
@@ -1,2 +1 @@
 unix_socket_connect(system_server, qemud, qemud)
-allow system_server qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te
deleted file mode 100644
index a5da57406..000000000
--- a/target/board/generic/sepolicy/zygote.te
+++ /dev/null
@@ -1 +0,0 @@
-allow zygote qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_mips/BoardConfig.mk b/target/board/generic_mips/BoardConfig.mk
index 17e241de8..a319ad71a 100644
--- a/target/board/generic_mips/BoardConfig.mk
+++ b/target/board/generic_mips/BoardConfig.mk
@@ -59,13 +59,11 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
 
 BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
 BOARD_SEPOLICY_UNION += \
-        adbd.te \
         bootanim.te \
         device.te \
         domain.te \
         file.te \
         file_contexts \
-        mediaserver.te \
         qemud.te \
         rild.te \
         shell.te \
diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk
index 5277cdc81..2dc761506 100644
--- a/target/board/generic_x86/BoardConfig.mk
+++ b/target/board/generic_x86/BoardConfig.mk
@@ -44,19 +44,13 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
 
 BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
 BOARD_SEPOLICY_UNION += \
-        app.te \
-        adbd.te \
-        bootanim.te \
         device.te \
         domain.te \
         file.te \
         file_contexts \
         healthd.te \
         installd.te \
-        mediaserver.te \
         qemud.te \
         rild.te \
         shell.te \
-        surfaceflinger.te \
-        system_server.te \
-        zygote.te
+        system_server.te
diff --git a/target/board/generic_x86/sepolicy/adbd.te b/target/board/generic_x86/sepolicy/adbd.te
deleted file mode 100644
index f65cfb3a4..000000000
--- a/target/board/generic_x86/sepolicy/adbd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow adbd qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/app.te b/target/board/generic_x86/sepolicy/app.te
deleted file mode 100644
index fd33453e6..000000000
--- a/target/board/generic_x86/sepolicy/app.te
+++ /dev/null
@@ -1 +0,0 @@
-allow appdomain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/bootanim.te b/target/board/generic_x86/sepolicy/bootanim.te
deleted file mode 100644
index 762a57387..000000000
--- a/target/board/generic_x86/sepolicy/bootanim.te
+++ /dev/null
@@ -1 +0,0 @@
-allow bootanim qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te
index c17950d9f..c3161b37d 100644
--- a/target/board/generic_x86/sepolicy/domain.te
+++ b/target/board/generic_x86/sepolicy/domain.te
@@ -1,3 +1,4 @@
 # For /sys/qemu_trace files in the emulator.
 allow domain sysfs_writable:file rw_file_perms;
 allow domain cpuctl_device:dir search;
+allow domain qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/mediaserver.te b/target/board/generic_x86/sepolicy/mediaserver.te
deleted file mode 100644
index 90b8cf812..000000000
--- a/target/board/generic_x86/sepolicy/mediaserver.te
+++ /dev/null
@@ -1 +0,0 @@
-allow mediaserver qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/rild.te b/target/board/generic_x86/sepolicy/rild.te
index 5de171adf..e148b6c13 100644
--- a/target/board/generic_x86/sepolicy/rild.te
+++ b/target/board/generic_x86/sepolicy/rild.te
@@ -1,2 +1 @@
-allow rild qemu_device:chr_file rw_file_perms;
 unix_socket_connect(rild, qemud, qemud)
diff --git a/target/board/generic_x86/sepolicy/surfaceflinger.te b/target/board/generic_x86/sepolicy/surfaceflinger.te
deleted file mode 100644
index 865405ce5..000000000
--- a/target/board/generic_x86/sepolicy/surfaceflinger.te
+++ /dev/null
@@ -1 +0,0 @@
-allow surfaceflinger qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/system_server.te b/target/board/generic_x86/sepolicy/system_server.te
index 9bfe5fe4e..0ede97165 100644
--- a/target/board/generic_x86/sepolicy/system_server.te
+++ b/target/board/generic_x86/sepolicy/system_server.te
@@ -1,3 +1,2 @@
 allow system_server self:process execmem;
 unix_socket_connect(system_server, qemud, qemud)
-allow system_server qemu_device:chr_file rw_file_perms;
diff --git a/target/board/generic_x86/sepolicy/zygote.te b/target/board/generic_x86/sepolicy/zygote.te
index d34c4a1f9..93993a47f 100644
--- a/target/board/generic_x86/sepolicy/zygote.te
+++ b/target/board/generic_x86/sepolicy/zygote.te
@@ -1,3 +1,2 @@
 allow zygote self:process execmem;
 allow zygote self:capability sys_nice;
-allow zygote qemu_device:chr_file rw_file_perms;