From ff413fd7d056ec8b5e2dcfa572e4f56bf6f98aa1 Mon Sep 17 00:00:00 2001
From: Stefan Andonian <andonian@google.com>
Date: Wed, 24 Jan 2024 22:04:52 +0000
Subject: [PATCH] Enable platform_app to use perfetto/trace_data_file
 permissions in debug/eng builds.

This change is to allow SystemUI, a platform_app, to start, stop,
and share Perfetto/Winscope traces.

Bug: 305049544
Test: Verified everything works on my local device.
Change-Id: I8fc35a5a570c2199cfdd95418a6caf0c48111c46
---
 private/platform_app.te | 16 +++++++++++++++-
 private/traced.te       |  2 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/private/platform_app.te b/private/platform_app.te
index cd9535326..eb1a7c75e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -64,10 +64,24 @@ userdebug_or_eng(`
   auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
 ')
 
+# Allow sharing traces to betterbug from /data/misc/wmtrace.
+userdebug_or_eng(`
+  allow platform_app trace_data_file:file create_file_perms;
+  allow platform_app trace_data_file:dir rw_dir_perms;
+')
+
 # Allow writing and removing wmshell protolog in /data/misc/wmtrace.
 userdebug_or_eng(`
   allow platform_app wm_trace_data_file:dir rw_dir_perms;
-  allow platform_app wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+  allow platform_app wm_trace_data_file:file { getattr setattr create unlink rw_file_perms };
+')
+
+
+# To exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. Allow to access traced's privileged consumer socket.
+userdebug_or_eng(`
+  allow platform_app perfetto_exec:file rx_file_perms;
+  unix_socket_connect(platform_app, traced_consumer, traced);
 ')
 
 allow platform_app audioserver_service:service_manager find;
diff --git a/private/traced.te b/private/traced.te
index d4e5bec42..796095fd7 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -28,6 +28,7 @@ allow traced perfetto_traces_data_file:dir rw_dir_perms;
 # Allow traceur to pass open file descriptors to traced, so traced can directly
 # write into the output file without doing roundtrips over IPC.
 allow traced traceur_app:fd use;
+allow traced platform_app:fd use;
 allow traced trace_data_file:file { read write };
 
 # Allow perfetto to access the proxy service for notifying Traceur.
@@ -119,6 +120,7 @@ neverallow {
   -traced
   -dumpstate
   -traceur_app
+  -platform_app
   -shell
   -system_server
   -perfetto