tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add context that system server can access and perfetto can save traces to am: c5cb5a248d

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2965922

Change-Id: I3e286eb5cfb4de9fc80eb8462fb183d67898db98
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Yisroel Forta 2024-02-21 22:38:05 +00:00 committed by Automerger Merge Worker
commit dc79d84476
5 changed files with 31 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
contexts/plat_file_contexts_test
View file

@ -995,10 +995,12 @@
/data/misc/odsign/test odsign_data_file
/data/misc/odsign/metrics odsign_metrics_file
/data/misc/odsign/metrics/test odsign_metrics_file
/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces/bugreport perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces/bugreport/test perfetto_traces_bugreport_data_file
/data/misc/perfetto-traces perfetto_traces_data_file
/data/misc/perfetto-traces/test perfetto_traces_data_file
/data/misc/perfetto-traces/profiling perfetto_traces_profiling_data_file
/data/misc/perfetto-traces/profiling/test perfetto_traces_profiling_data_file
/data/misc/perfetto-configs perfetto_configs_data_file
/data/misc/perfetto-configs/test perfetto_configs_data_file
/data/misc/prereboot prereboot_data_file

3
private/file.te
View file

@ -25,6 +25,9 @@ type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;

7
private/file_contexts
View file

@ -660,9 +660,10 @@
/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces/profiling(/.*)? u:object_r:perfetto_traces_profiling_data_file:s0
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/uprobestats-configs(/.*)? u:object_r:uprobestats_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0

13
private/perfetto.te
View file

@ -26,6 +26,10 @@ allow perfetto perfetto_traces_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
@ -86,6 +90,7 @@ neverallow {
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
-system_server # For accessing traces started by profiling apis.
} perfetto_traces_data_file:dir *;
neverallow {
domain
@ -122,14 +127,20 @@ neverallow perfetto {
-vendor_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto {
system_data_file
-perfetto_traces_data_file
-perfetto_traces_profiling_data_file
}:dir ~{ getattr search };
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;

8
private/system_server.te
View file

@ -582,6 +582,11 @@ allow system_server perfetto:fd use;
domain_auto_trans(system_server, perfetto_exec, perfetto);
allow system_server perfetto:fifo_file { read write };
# Allow system server to manage perfetto traces for ProfilingService.
allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
allow system_server perfetto_traces_data_file:dir search;
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@ -1299,6 +1304,9 @@ neverallow system_server {
neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
neverallow system_server *:process dyntransition;
# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
neverallow system_server perfetto_traces_data_file:dir ~search;
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };