Allow adb root to send config to perfetto
The perfetto binary (the frontend to traced) reads an input config
from stdin. This CL adds allows perfetto to read the config
from adb shell when the user is rooted
Sample denials:
avc: denied { read } for comm="perfetto" path="pipe:[92340]"
dev="pipefs" ino=92340 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0
avc: denied { read } for comm="perfetto" path="pipe:[92491]"
dev="pipefs" ino=92491 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0
Test: adb root
adb shell
echo 'duration_ms: 1000;' > /sdcard/config
cat /sdcard/config | perfetto --txt -c - -d
Change-Id: I12042dfa9a2c262cec907f0231ce2184f46d1be8
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -20,12 +20,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;