Commit graph

65 commits

Author SHA1 Message Date
Alessio Balsini
c1e2918fd9 Allow the MediaProvider app to set FUSE passthrough property
Allow the MediaProvider app to write the system property
fuse.passthrough.enabled in case FUSE passthrough is enabled.
The need for this additional system property is due to the ScopedStorage
CTS tests that are assuming FUSE passtrhough is always on for devices
supporting it, but there may be some cases (e.g., GSI mixed builds)
where this is not possible true and the feature is disabled at runtime,
thus causing the tests to fail.
This additional system property is only set when FUSE passthrough is
actually being used by the system.

Bug: 186635810
Test: CtsScopedStorageDeviceOnlyTest
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I623042d67399253a9167188c3748d93eb0f2d41f
2021-05-13 17:38:16 +00:00
Yi-Yo Chiang
694ab79207 Allow shell to read default fstab
CTS module CtsFsMgrTestCases (gtest) needs to read fstab.

Fixes: 184850580
Test: CtsFsMgrTestCases on user build
Change-Id: I0f04bb021d8732a1c5f987ba2984da2c98f40653
2021-04-12 04:46:06 +00:00
Michael Rosenfeld
3ccbebb415 Permit dropping caches from the shell through sys.drop_caches.
*   Permits setting the sys.drop_caches property from shell.
*   Permits init to read and write to the drop_caches file.
*   Can only be set to 3 (drop_caches) and 0 (unset).

Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-03-19 10:55:51 -07:00
Chun-Wei Wang
75e3fa6ead Merge "Add persist.rollback.is_test (6/n)" 2021-03-06 14:33:38 +00:00
JW Wang
0f8cf04965 Add persist.rollback.is_test (6/n)
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.

This gives us insights into how hard linking fails where
it shouldn't.

Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-03-03 10:34:06 +08:00
Yifan Hong
a18cf7ed0c Allow shell to read VAB props.
Bug: 179427873
Test: adb unroot and read the prop
Change-Id: Ib480903afae2e7180a59f8834dd7c54062acd947
2021-02-24 22:33:46 +00:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files.
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-16 09:35:09 -08:00
Tianjie
c3752cf5dd Set context for hash algorithm properties.
Also move verity_status_prop to system_restricted_prop since we
need to query it in cts tests

Bug: 175236047
Test: atest CtsNativeVerifiedBootTestCases
Change-Id: I82b26edaf5c5ad233bd83dff77eaafb9174646ef
2021-01-20 19:06:47 -08:00
Primiano Tucci
2bb8587933 Allow shell + priv_app to traverse /data/misc/perfetto-traces
This is a follow-up to r.android.com/1542764.
1. In order to allow priv_app to
   stat(/data/misc/perfetto-traces/bugreport/*) we need
   also the `search` permission to traverse the parent
   directory /data/misc/perfetto-traces.
2. Allow shell to read the new bugreport/ directory.
   shell can read bugreports anyways and this is needed
   for CTS tests.

Bug: 177761174
Bug: 177684571
Test: manual (changpa@)
Change-Id: I39d6a1c7941bcdcdc314a7538c0accfd37c52ca2
2021-01-18 14:16:03 +00:00
Mitch Phillips
eaf1404d8a [MTE] Add memtag sysprop sepolicy.
These flags should be writeable to the shell for both root and non-root
users. They should be readable everywhere, as they're read in libc
during initialization (and there's nothing secret to hide). We just
don't want to allow apps to set these properties.

These properties are non-persistent, are for local developer debugging
only.

Bug: 135772972
Bug: 172365548
Test: `adb shell setprop memtag.123 0` in non-root shell succeeds.
Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2021-01-11 08:35:58 -08:00
David Anderson
09bb944221 Add sepolicy for starting the snapuserd daemon through init.
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.

update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.

This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.

Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-19 21:03:30 +00:00
Inseob Kim
0cef0fe5ac Add contexts for sqlite debug properties
These are read by some apps, but don't have any corresponding property
contexts. This adds a new context as we're going to remove default_prop
access.

Bug: 173360450
Test: no sepolicy denials
Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-18 12:14:20 +09:00
Roland Levillain
06bee189ad Allow the shell user to run dex2oat.
This is required for ART's Checker tests, which are part of
(host-driven) ART run-tests, and will also be required to run ART
run-tests via TradeFed in AOT-compilation modes in the future.

Test: Run `atest art-run-test-004-checker-UnsafeTest18` with
      https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277
      merged in, on a device where `adb` commands are not run as root
Bug: 162408889
Bug: 147812905
Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
2020-11-02 21:51:27 +00:00
Treehugger Robot
b178fe826c Merge changes from topic "ramdisk_timestamp_runtime_load"
* changes:
  Add ro.bootimage.* property contexts
  Add /second_stage_resources tmpfs.
2020-10-16 19:23:08 +00:00
Primiano Tucci
512bdb9c1b Create directory for shell<>perfetto interaction
Users are unable to pass config files directly to
perfetto via `perfetto -c /path/to/config` and have to
resort to awkward quirks like `cat config | perfetto -c -'.
This is because /system/bin/perfetto runs in its own SELinux
domain for reasons explained in the bug.
This causes problem to test infrastructures authors. Instead
of allowing the use of /data/local/tmp which is too ill-scoped
we create a dedicated folder and allow only shell and perfetto
to operate on it.

Bug: 170404111
Test: manual, see aosp/1459023
Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 21:27:27 +00:00
Yifan Hong
6bb5a76d29 Add ro.bootimage.* property contexts
In addition, allow shell to read this property.

Test: getprop -Z
Test: cts-tradefed run cts -m CtsGestureTestCases
      and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json

Bug: 169169031
Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
2020-10-07 11:55:20 -07:00
Janis Danisevskis
ed96f5c518 Move list permission from keystore2_key to keystore class.
The list permission protects the ability to list arbitrary namespaces.
This is not a namespace specific permission but a Keystore specific
permission. Listing the entries of a given namsepace is covered by the
get_info permission already.

Test: N/A
Merged-In: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-09-30 12:18:26 -07:00
Yi Kong
4555123090 Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-09-08 12:29:47 +00:00
Janis Danisevskis
47f3761cc8 Add keystore2_key namespace shell_key for shell.
Add a keystore2_key namespace that can be used by `shell` for testing.

Bug: 158500146
Bug: 162265751
Test: keystore2_test
Change-Id: I78b9b285969dd503a09609f7bcb02552b24d1a6b
Merged-In: I78b9b285969dd503a09609f7bcb02552b24d1a6b
2020-08-05 21:58:04 +00:00
Alan Stokes
bd397a14b4 Merge "Make cross-user apps mlstrustedsubject." 2020-07-23 08:35:43 +00:00
Alan Stokes
81e4e877f3 Make cross-user apps mlstrustedsubject.
We have various apps which inherently work across all users,
configured in seapp_contexts with levelFrom=None (usually implicitly).

This change marks those apps, where they have private data files, as
mlstrustedsubject, to allow us to increase restrictions on cross-user
access without breaking them.

Currently these apps are granted full access to [priv_]app__data_file
via TE rules, but are blocked from calling open (etc) by mls rules
(they don't have a matching level).

This CL changes things round so they are granted access by mls, but
blocked from calling open by TE rules; the overall effect is thus the
same - they do not have access.

A neverallow rule is added to ensure this remains true.

Note that there are various vendor apps which are appdomain,
levelFrom=None; they will also need modified policy.

Test: builds, boots, no new denials.
Bug: 141677108

Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-07-22 14:41:31 +01:00
Inseob Kim
c97a97cd3f Move more properties out of exported3_default_prop
This is to remove exported3_default_prop. Contexts of these properties
are changed.

- ro.boot.wificountrycode
This becomes wifi_config_prop

- ro.opengles.version
This becomes graphics_config_prop. Also it's read by various domains, so
graphics_config_prop is now readable from coredomain.

- persist.config.calibration_fac
This becomes camera_calibration_prop. It's only readable by appdomain.

Bug: 155844385
Test: no denials on Pixel devices
Test: connect wifi
Change-Id: If2b6c10fa124e29d1612a8f94ae18b223849e2a9
2020-07-21 13:11:57 +09:00
Yi Kong
239c85dd0d Add sepolicy for profcollectd
This does not yet list all the required capabilities for profcollectd,
but it at least allows the service to start under permissive mode.

Bug: 79161490
Test: start profcollectd
Change-Id: I92c6192fa9b31840b2aba26f83a6dc9f9e835030
2020-07-01 23:44:37 +08:00
Peiyong Lin
37dea070ce Update sepolicy for GPU profiling properties.
A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.

Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
2020-06-05 12:03:29 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Nikita Ioffe
91c3795b2c Add userspace_reboot_test_prop
This property type represents properties used in CTS tests of userspace
reboot. For example, test.userspace_reboot.requested property which is
used to check that userspace reboot was successful and didn't result in
full reboot, e.g.:
* before test setprop test.userspace_reboot.requested 1
* adb reboot userspace
* wait for boot to complete
* verify that value of test.userspace_reboot.requested is still 1

Test: adb shell setprop test.userspace_reboot.requested 1
Bug: 150901232
Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8
Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8
(cherry picked from commit 3bd53a9cee)
2020-03-16 15:13:08 +00:00
Kiyoung Kim
dc34050e17 Remove sys.linker property
sys.linker property was defined to enable / disable generate linker
configuration, but the property has been removed. Remove sys.linker
property definition as it is no longer in use

Bug: 149335054
Test: m -j passed && cuttlefish worked without sepolicy error
Change-Id: Iacb2d561317d0920f93104717ce4f4bb424cc095
Merged-In: Iacb2d561317d0920f93104717ce4f4bb424cc095
2020-02-19 10:16:06 +09:00
Ryan Savitski
ffa0dd93f3 perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-15 16:56:41 +00:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Florian Mayer
d54f4487bc Merge "Allow shell to unlink perfetto_traces_data_file." 2019-09-30 17:40:01 +00:00
Florian Mayer
c069bc134e Allow shell to unlink perfetto_traces_data_file.
Bug: 141704436
Test:
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 186
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0    3488 2019-09-30 14:12 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0             3488 2019-09-30 14:08 ..
-rw-------  1 shell  shell u:object_r:perfetto_traces_data_file:s0  180467 2019-09-30 14:12 profile-shell
blueline:/ $ rm /data/misc/perfetto-traces/profile-shell
rm ro /data/misc/perfetto-traces/profile-shell (y/N):y
blueline:/ $ ls -lZa /data/misc/perfetto-traces
total 6
drwxrwx-wx  2 root   shell u:object_r:perfetto_traces_data_file:s0  3488 2019-09-30 14:13 .
drwxrwx--t 46 system misc  u:object_r:system_data_file:s0           3488 2019-09-30 14:08 ..
blueline:/ $


Change-Id: Ia710068c3cca53a415347fb0a7064740e500d15d
2019-09-30 13:13:14 +00:00
Eric Biggers
b57af5d0e6 Allow shell to get encryption policy for CTS
Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and
FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test
which checks that the device complies with the CDD requirements to use
appropriate algorithms for file-based encryption.

The information returned by these ioctls is already available in logcat,
but scraping the log for a CTS test seems fragile; I assume that people
would prefer a more robust solution.

For more details see change I9082241066cba82b531e51f9a5aec14526467162

Bug: 111311698
Test: the CTS test works after this change.
Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
2019-09-27 15:24:27 -07:00
Kiyoung Kim
82c87ede24 Define sepolicy with property for linker
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.

Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-14 12:35:15 +09:00
Yifan Hong
18ade868ff Add rules for lpdump and lpdumpd
- lpdump is a binary on the device that talks to lpdumpd
  via binder.

- lpdumpd is a daemon on the device that actually reads
  dynamic partition metadata. Only lpdump can talk to it.

Bug: 126233777
Test: boots (sanity)
Test: lpdump

Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-25 10:14:20 -07:00
Nick Kralevich
68e27caeb6 allow shell rs_exec:file rx_file_perms
Hostside tests depend on being able to execute /system/bin/bcc. Allow
it.

From bug:

In the NDK:

  $ ./checkbuild.py
  $ virtualenv -p ../out/bootstrap/bin/python3 env
  $ source env/bin/activate
  $ ./run_tests.py --filter rs-cpp-basic
  FAIL rs-cpp-basic.rstest-compute [armeabi-v7a-19]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0xee70f000
  Segmentation fault

  FAIL rs-cpp-basic.rstest-compute [arm64-v8a-21]: android-28 marlin HT67L0200247 QPP1.190205.017
  New RS 0x7a91e13000
  Segmentation fault

  02-23 23:00:45.635  9516  9518 V RenderScript: Successfully loaded runtime: libRSDriver_adreno.so
  02-23 23:00:45.650  9518  9518 W rstest-compute: type=1400 audit(0.0:15): avc: denied { read } for name="bcc" dev="dm-0" ino=390 scontext=u:r:shell:s0 tcontext=u:object_r:rs_exec:s0 tclass=file permissive=0
  02-23 23:00:45.651  9516  9518 E RenderScript: Cannot open file '/system/bin/bcc' to compute checksum
  02-23 23:00:45.652  9516  9516 E rsC++   : Internal error: Object id 0.

Test: compiles
Fixes: 126388046
Change-Id: I28e591d660c4ba9a33135e940d298d35474ef0b6
2019-02-26 13:09:28 -08:00
Nick Kralevich
905b4000cb Fix dl.exec_linker* tests
The dl.exec_linker* tests verify that the linker can invoked on an
executable. That feature still works, but not with the default
shell user, which is required for the CTS bionic tests.

Addresses the following denial:

audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0

Bug: 124789393
Test: compiles
Change-Id: I77772b2136fae97174eeba6542906c0802fce990
2019-02-25 15:11:40 -08:00
Florian Mayer
aeca04b967 Allow to signal perfetto from shell.
When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.

Denial:
12-06 11:12:16.566  3099  3099 I sh      : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1

Test: m
Test: flash walleye
Test: SIGINT perfetto from shell

Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-13 10:46:42 +00:00
Fan Xu
ffffed28fa Remove unused bufferhub sepolicy
These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.

Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753
2018-12-10 13:36:11 -08:00
Yiwei Zhang
ff0f79c195 [gpuservice] allow "adb shell cmd gpu vkjson"
Also allow adb shell dumpsys gpu to not return error.

Bug: 120095213
Test: flash non-eng build and adb shell cmd gpu vkjson
Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571
2018-11-27 15:58:20 -08:00
Jeff Vander Stoep
424517721c Remove access to /proc/net/{tcp,udp}
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-30 21:33:47 -07:00
Wei Wang
bc71a6109e Add atrace HAL 1.0 sepolicy
Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e43)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-27 23:18:29 +00:00
Fan Xu
26fa914cb2 Update SELinux Policy for bufferhubd
Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
2018-09-24 12:29:43 -07:00
Bookatz
022ab0e738 Statsd allow shell in selinux policy
CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 09:34:55 -08:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Primiano Tucci
1a9f4f7a7a SELinux policies for Perfetto cmdline client (/system/bin/perfetto)
Instead of having statsd linking the perfetto client library
and talk directly to its socket, we let just statsd exec()
the /system/bin/perfetto cmdline client.

There are two reasons for this:
1) Simplify the interaction between statsd and perfetto, reduce
  dependencies, binary size bloat and isolate faults.
2) The cmdline client also takes care of handing the trace to
  Dropbox. This allows to expose the binder interaction surface
  to the short-lived cmdline client and avoid to grant binder
  access to the perfetto traced daemon.

This cmdline client will be used by:
 - statsd
 - the shell user (for our UI and Studio)

Bug: 70942310
Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-29 11:06:00 +00:00
Yifan Hong
00ab5d86be Allow shell to start vendor shell
Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-16 18:28:51 +00:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00
Dan Cashman
91d398d802 Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 14:38:47 -07:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00