Merge "Give surfaceflinger permission to write perfetto traces"

commit: 25870c05c8501c502843715ba9d6dff4d01b3906 [log] [tgz]
author: Mikael Pessa <mikaelpessa@google.com> Tue Jul 09 21:08:52 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jul 09 21:08:52 2019 +0000
tree: 984caf501d2ca1ab05df0fd2ee399258a2e8990a
parent: e4466e8ec72204847c56d5e5f32ddc593df715b7 [diff]
parent: c97ea91e2f8018bd360c951c55595e53da7e5e6a [diff]
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index af3d8b9..202d1b3 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts

@@ -212,6 +212,7 @@
 genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -253,6 +254,7 @@
 genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

diff --git a/private/file_contexts b/private/file_contexts
index 8150fa6..5532bd3 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -406,10 +406,10 @@
 /(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
 
 #############################
-# Product-Services files
+# SystemExt files
 #
-/(product_services|system/product_services)(/.*)?               u:object_r:system_file:s0
-/(product_services|system/product_services)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)(/.*)?               u:object_r:system_file:s0
+/(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
 
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay

diff --git a/private/system_server.te b/private/system_server.te
index 33d0032..df87794 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -288,6 +288,7 @@
   hal_power_stats_server
   hal_sensors_server
   hal_vr_server
+  system_suspend_server
 }:process { signal };
 
 # Use sockets received over binder from various services.

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3c5d91e..6a50f87 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -89,6 +89,7 @@
   hal_sensors_server
   hal_thermal_server
   hal_vr_server
+  system_suspend_server
 }:process signal;
 
 # Connect to tombstoned to intercept dumps.

diff --git a/public/te_macros b/public/te_macros
index 1ab417b..1187320 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -692,10 +692,15 @@
     # Use shared memory received over the unix socket.
     allow $1 heapprofd:fd use;
 
-    # To read from the received file descriptors.
+    # To read and write from the received file descriptors.
     # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
     # process they relate to.
-    allow heapprofd $1:file r_file_perms;
+    # We need to write to /proc/$PID/page_idle to find idle allocations.
+    # The client only opens /proc/self/page_idle with RDWR, everything else
+    # with RDONLY.
+    # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+    # sys_ptrace.
+    allow heapprofd $1:file rw_file_perms;
     # Allow searching the /proc/[pid] directory for cmdline.
     allow heapprofd $1:dir r_dir_perms;
   ')

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1fa885d..0a3e2d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -2,7 +2,7 @@
 # Default HALs
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
commit	25870c05c8501c502843715ba9d6dff4d01b3906	[log] [tgz]
author	Mikael Pessa <mikaelpessa@google.com>	Tue Jul 09 21:08:52 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jul 09 21:08:52 2019 +0000
tree	984caf501d2ca1ab05df0fd2ee399258a2e8990a
parent	e4466e8ec72204847c56d5e5f32ddc593df715b7 [diff]
parent	c97ea91e2f8018bd360c951c55595e53da7e5e6a [diff]