perfetto: allow traced to write into FDs received by the client
This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
This commit is contained in:
parent
cef53221db
commit
5d31732612
@ -14,6 +14,13 @@ typeattribute traced_tmpfs mlstrustedobject;
|
||||
# the privileged process that controls it.
|
||||
allow traced self:global_capability_class_set { sys_nice };
|
||||
|
||||
# Allow to pass a file descriptor for the output trace from "perfetto" (the
|
||||
# cmdline client) and other shell binaries to traced and let traced write
|
||||
# directly into that (rather than returning the trace contents over the socket).
|
||||
allow traced perfetto:fd use;
|
||||
allow traced shell:fd use;
|
||||
allow traced perfetto_traces_data_file:file { read write };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
@ -42,7 +49,11 @@ neverallow traced {
|
||||
neverallow traced { system_data_file }:dir ~{ getattr search };
|
||||
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
|
||||
neverallow traced {
|
||||
data_file_type
|
||||
-zoneinfo_data_file
|
||||
-perfetto_traces_data_file
|
||||
}:file ~write;
|
||||
|
||||
# Only init is allowed to enter the traced domain via exec()
|
||||
neverallow { domain -init } traced:process transition;
|
||||
|
Loading…
Reference in New Issue
Block a user