tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow traced_probes to subscribe to statsd atoms

Browse source 
Denials:
SELinux : avc:  denied  { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0
traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1

See go/ww-atom-subscriber-api

Testing steps:
Patch ag/21985690
Run:
$ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg
$ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb
$ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb
$ out/linux_clang_debug/traceconv text statsd.pb
Check logcat for denials.

Test: See above
Bug: 268661096

Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
This commit is contained in:
Hector Dearman 2023-03-22 08:14:38 +00:00
parent 9a3f429b00
commit 7ca04a7e7f
3 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/stats.te
View file

@ -56,4 +56,5 @@ neverallow {
-system_app
-system_server
-traceur_app
-traced_probes
} stats_service:service_manager find;

4
private/traced_probes.te
View file

@ -100,8 +100,10 @@ hal_client_domain(traced_probes, hal_atrace)
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
# Allow traced_probes to talk to statsd for logging metrics.
# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
unix_socket_send(traced_probes, statsdw, statsd)
binder_call(traced_probes, statsd)
allow traced_probes stats_service:service_manager find;
###
### Neverallow rules

1
public/statsd.te
View file

@ -34,6 +34,7 @@ allow statsd stats_config_data_file:file create_file_perms;
binder_call(statsd, appdomain)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
binder_call(statsd, traced_probes)
# Allow statsd to interact with gpuservice
allow statsd gpu_service:service_manager find;