Allow iorapd to access perfetto
This requires moving the type declaration of
perfetto traced to public, because iorapd
needs to refer to it.
Denials without this CL:
https://pastebin.com/raw/sxHMeLEU
Bug: 72170747
Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \
-v --output-proto /data/misc/iorapd/test
2. Check that no selinux denials other than
avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
show up (this is a side-effect of runcon).
Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
diff --git a/private/traced.te b/private/traced.te
index 33c5ac0..f58aa0f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,5 +1,7 @@
# Perfetto user-space tracing daemon (unprivileged)
-type traced, domain, coredomain, mlstrustedsubject;
+
+# type traced is defined under /public (because iorapd rules
+# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -19,10 +21,18 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
-allow traced traceur_app:fd use;
allow traced perfetto_traces_data_file:file { read write };
+
+# Allow traceur to pass open file descriptors to traced, so traced can directly
+# write into the output file without doing roundtrips over IPC.
+allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
+# Allow iorapd to pass memfd descriptors to traced, so traced can directly
+# write into the shmem buffer file without doing roundtrips over IPC.
+allow traced iorapd:fd use;
+allow traced iorapd_tmpfs:file { read write };
+
###
### Neverallow rules
###