sepolicy: add perfetto_producer for platform_app and system_app

This addresses the following SELinux failure: trigger_perfett: type=1400 audit(0.0:331): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=35064 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 app=com.android.systemui This is necessary so that, on user builds, system apps like systemui can trigger Perfetto traces. This is already allowed on userdebug/end by the capability in app.te. In a follow up, we'll probably remove all the perfetto_producer in the *_app.te and remove the userdebug_or_eng in app.te. Bug: 190620348 Change-Id: I715979970cde760efdf4497c7cd2a2039ca86c85
2021-06-10 14:10:45 +01:00 · 2021-06-10 14:10:45 +01:00 · d6ff0c7062
commit d6ff0c7062
parent 03b80a12e4
2 changed files with 6 additions and 0 deletions
--- a/private/platform_app.te
+++ b/private/platform_app.te
@ -99,6 +99,9 @@ allow platform_app app_data_file:lnk_file create_file_perms;
 # suppress denials caused by debugfs_tracing
 dontaudit platform_app debugfs_tracing:file rw_file_perms;

+# Allow platform apps to act as Perfetto producers.
+perfetto_producer(platform_app)
+
 ###
 ### Neverallow rules
 ###
--- a/private/system_app.te
+++ b/private/system_app.te
@ -169,6 +169,9 @@ allow system_app system_server:udp_socket {
 # Settings app reads ro.oem_unlock_supported
 get_prop(system_app, oem_unlock_prop)

+# Allow system apps to act as Perfetto producers.
+perfetto_producer(system_app)
+
 ###
 ### Neverallow rules
 ###