Allow iorapd to access perfetto
This requires moving the type declaration of perfetto traced to public, because iorapd needs to refer to it. Denials without this CL: https://pastebin.com/raw/sxHMeLEU Bug: 72170747 Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \ -v --output-proto /data/misc/iorapd/test 2. Check that no selinux denials other than avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 show up (this is a side-effect of runcon). Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
This commit is contained in:
parent
283761cfca
commit
79d1dbbc05
@ -1,5 +1,7 @@
|
||||
# Perfetto user-space tracing daemon (unprivileged)
|
||||
type traced, domain, coredomain, mlstrustedsubject;
|
||||
|
||||
# type traced is defined under /public (because iorapd rules
|
||||
# under public/ need to refer to it).
|
||||
type traced_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Allow init to exec the daemon.
|
||||
@ -19,10 +21,18 @@ allow traced self:global_capability_class_set { sys_nice };
|
||||
# directly into that (rather than returning the trace contents over the socket).
|
||||
allow traced perfetto:fd use;
|
||||
allow traced shell:fd use;
|
||||
allow traced traceur_app:fd use;
|
||||
allow traced perfetto_traces_data_file:file { read write };
|
||||
|
||||
# Allow traceur to pass open file descriptors to traced, so traced can directly
|
||||
# write into the output file without doing roundtrips over IPC.
|
||||
allow traced traceur_app:fd use;
|
||||
allow traced trace_data_file:file { read write };
|
||||
|
||||
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
|
||||
# write into the shmem buffer file without doing roundtrips over IPC.
|
||||
allow traced iorapd:fd use;
|
||||
allow traced iorapd_tmpfs:file { read write };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
@ -31,6 +31,9 @@ binder_call(iorapd, healthd)
|
||||
# iorapd temporarily changes its priority when running benchmarks
|
||||
allow iorapd self:global_capability_class_set sys_nice;
|
||||
|
||||
# Allow to access Perfetto traced's privileged consumer socket to start/stop
|
||||
# tracing sessions and read trace data.
|
||||
unix_socket_connect(iorapd, traced_consumer, traced)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
|
2
public/traced.te
Normal file
2
public/traced.te
Normal file
@ -0,0 +1,2 @@
|
||||
type traced, domain, coredomain, mlstrustedsubject;
|
||||
|
Loading…
Reference in New Issue
Block a user