Merge "Changes to allow trace redactor to run" into main

contexts/plat_file_contexts_test

@@ -483,6 +483,7 @@
 /system/bin/android.automotive.evs.manager@1.0                    evsmanagerd_exec
 /system/bin/android.automotive.evs.manager@1.99                   evsmanagerd_exec
 /system/bin/uprobestats                                           uprobestats_exec
+/system/bin/trace_redactor                                        trace_redactor_exec
 
 /vendor                                                           vendor_file
 /vendor/does_not_exist                                            vendor_file

private/file_contexts

@@ -339,6 +339,7 @@
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
+/system/bin/trace_redactor        u:object_r:trace_redactor_exec:s0
 /system/bin/heapprofd        u:object_r:heapprofd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 /system/bin/update_verifier u:object_r:update_verifier_exec:s0

private/perfetto.te

@@ -95,6 +95,7 @@ neverallow {
   -incidentd # For receiving reported traces. TODO(lalitm): remove this.
   -priv_app  # For stating traces for bug-report UI.
   -system_server # For accessing traces started by profiling apis.
+  -trace_redactor # For accessing traces to be redacted.
 } perfetto_traces_data_file:dir *;
 neverallow {
   domain
@@ -104,6 +105,7 @@ neverallow {
   -shell     # For devepment purposes.
   -traced    # For write_into_file traces.
   -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
+  -trace_redactor # For redacting trace files.
 } perfetto_traces_data_file:file ~{ getattr read };
 
 ### perfetto should NEVER do any of the following

private/system_server.te

@@ -586,9 +586,14 @@ allow system_server perfetto:fifo_file { read write };
 
 # Allow system server to manage perfetto traces for ProfilingService.
 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
-allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
 allow system_server perfetto_traces_data_file:dir search;
 
+# Allow system server to exec the trace redactor cmdline client and kill the process for
+# ProfilingService.
+domain_auto_trans(system_server, trace_redactor_exec, trace_redactor);
+allow system_server trace_redactor:process signal;
+
 # Allow system server to kill perfetto processes for ProfilingService.
 allow system_server perfetto:process signal;
 
@@ -1319,7 +1324,8 @@ neverallow system_server {
 
 # Ensure that system_server doesn't perform any domain transitions other than
 # transitioning to the crash_dump domain when a crash occurs or fork clatd.
-neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
+# add perfetto and trace_redactor which are exec'd from system server for ProfilingService.
+neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition;
 neverallow system_server *:process dyntransition;
 
 # Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.

private/trace_redactor.te

@@ -0,0 +1,13 @@
+# Trace Redactor command line
+type trace_redactor_exec, system_file_type, exec_type, file_type;
+type trace_redactor, domain, coredomain;
+
+# Use pipes provided by system_server
+allow trace_redactor system_server:fd use;
+allow trace_redactor system_server:fifo_file { read write getattr ioctl };
+
+# Allow trace_redactor to read output trace file and write to new redacted file.
+allow trace_redactor perfetto_traces_profiling_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:file { read getattr ioctl };
+allow trace_redactor perfetto_traces_profiling_data_file:file rw_file_perms;