Add selinux rules for perfetto daemones Note: this is a somewhat minimal set of rules required to be able to capture traces on Microdroid. After the trace is captured I still see a bunch of SELinux denials. We might need to add more allow rules in the follow up changes. Bug: 249050813 Test: boot Microdroid VM, capture traces with record_android_traces Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15

commit: 6069e7c8f21880cb9188365a3896c3508ad72194 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Fri Mar 03 00:43:22 2023 +0000
committer: Nikita Ioffe <ioffe@google.com> Tue Mar 14 15:07:54 2023 +0000
tree: 30d41e0b3a01d10a25930dce732af10c234b9d4d
parent: 6ad15b7c74b45c5696206823c6451c2b5af5e78f [diff] [blame]
diff --git a/microdroid/system/private/atrace.te b/microdroid/system/private/atrace.te
new file mode 100644
index 0000000..f8dd24f
--- /dev/null
+++ b/microdroid/system/private/atrace.te

@@ -0,0 +1,11 @@
+# SELinux policy for the atrace daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/atrace.te
+# So far, this file contains a subset of rules defined for the host Android.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
commit	6069e7c8f21880cb9188365a3896c3508ad72194	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Fri Mar 03 00:43:22 2023 +0000
committer	Nikita Ioffe <ioffe@google.com>	Tue Mar 14 15:07:54 2023 +0000
tree	30d41e0b3a01d10a25930dce732af10c234b9d4d
parent	6ad15b7c74b45c5696206823c6451c2b5af5e78f [diff] [blame]