Allow Java domains to be Perfetto producers.

This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3

private/app.te

@@ -2,6 +2,8 @@
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
 
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };

private/ephemeral_app.te

@@ -51,9 +51,7 @@ binder_call(ephemeral_app, gpuservice)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
 
 # Allow heap profiling if the app opts in by being marked
 # profileable/debuggable.

private/heapprofd.te

@@ -35,9 +35,7 @@ dontaudit heapprofd domain:dir { search open };
 
 # Write trace data to the Perfetto traced daemon. This requires connecting to
 # its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
 
 # When handling profiling for all processes, heapprofd needs to read
 # executables/libraries/etc to do stack unwinding.

private/isolated_app.te

@@ -56,9 +56,7 @@ dontaudit isolated_app shell_data_file:dir search;
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
 
 # Allow heap profiling if the main app has been marked as profileable or
 # debuggable.

private/perfetto.te

@@ -13,10 +13,7 @@ unix_socket_connect(perfetto, traced_consumer, traced)
 
 # Connect to the Perfetto traced daemon as a producer. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
 
 # Allow to write and unlink traces into /data/misc/perfetto-traces.
 allow perfetto perfetto_traces_data_file:dir rw_dir_perms;

private/priv_app.te

@@ -139,9 +139,7 @@ read_runtime_log_tags(priv_app)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
 
 # Allow priv_apps to request and collect incident reports.
 # (Also requires DUMP and PACKAGE_USAGE_STATS permissions)

private/shell.te

@@ -34,9 +34,7 @@ unix_socket_connect(shell, traced_consumer, traced)
 
 # Allow shell binaries to write trace data to Perfetto. Used for testing and
 # cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
 
 domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
 

private/surfaceflinger.te

@@ -68,9 +68,7 @@ userdebug_or_eng(`
 ')
 
 # Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
 
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };

private/system_server.te

@@ -297,6 +297,8 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
 # access for mac_permissions

private/traced_probes.te

@@ -6,9 +6,7 @@ init_daemon_domain(traced_probes)
 
 # Write trace data to the Perfetto traced damon. This requires connecting to its
 # producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
 
 # Allow traced_probes to access tracefs.
 allow traced_probes debugfs_tracing:dir r_dir_perms;

private/untrusted_app_all.te

@@ -135,9 +135,7 @@ allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
 
 # Allow heap profiling if the app opts in by being marked
 # profileable/debuggable.

public/te_macros

@@ -714,6 +714,15 @@ define(`never_profile_heap', `
   neverallow heapprofd $1:process signal;
 ')
 
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+  allow $1 traced:fd use;
+  allow $1 traced_tmpfs:file { read write getattr map };
+  unix_socket_connect($1, traced_producer, traced)
+')
+
 ###########################################
 # dump_hal(hal_type)
 # Ability to dump the hal debug info