tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

tm-qpr backport: allow perfetto profiling of system_server and sys/platform apps

Browse source 
This is a reduced backport of aosp/2419280, as the full change adds
domain-wide allow rules as well as neverallows, and we want to avoid
conflicts against pre-existing TM vendor policies.

This backport is downscoped to:
* system_server.te:  allow profiling system_server, runs as "system".
* system_app.te:     allow profiling all other apps running as "system",
                     e.g. com.android.settings.
* platform_app.te:   for platform-signed apps running in the normal app
                     UID range, e.g. com.android.systemui.

Merging logistics:
* AOSP and udc-dev have the full change, so prevent automerged conflicts
  via Merged-In.
* api=33 sepolicy prebuilts are in a stacked patch as those should flow
  into downstream branches, and afaiu will need to be CP'd to AOSP.

Bug: 272719059
Ignore-AOSP-First: tm-qpr-dev backport
Merged-In: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
Change-Id: I5de4a39b002baabad7ef9e5a21c10dc6d87295eb
This commit is contained in:
Ryan Savitski 2023-03-13 15:30:29 +00:00 committed by Ioannis Ilkos
parent c9530bbdfd
commit b2fecc3954
3 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/platform_app.te
View file

@ -119,6 +119,10 @@ dontaudit platform_app debugfs_tracing:file rw_file_perms;
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
# Allow performance profiling if the app opts in.
can_profile_heap(platform_app)
can_profile_perf(platform_app)
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)

4
private/system_app.te
View file

@ -177,6 +177,10 @@ get_prop(system_app, oem_unlock_prop)
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
# Allow performance profiling by the platform itself.
can_profile_heap(system_app)
can_profile_perf(system_app)
###
### Neverallow rules
###

9
private/system_server.te
View file

@ -418,7 +418,14 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
userdebug_or_eng(`perfetto_producer({ system_server })')
# Allow writing performance tracing data to the Perfetto traced daemon. This
# requires connecting to its producer socket and obtaining a (per-process)
# tmpfs fd.
perfetto_producer(system_server)
# Allow performance profiling by the platform itself.
can_profile_heap(system_server)
can_profile_perf(system_server)
# Get file context
allow system_server file_contexts_file:file r_file_perms;