Allow traced_probes to subscribe to statsd atoms
Denials:
SELinux : avc: denied { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0
traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1
See go/ww-atom-subscriber-api
Testing steps:
Patch ag/21985690
Run:
$ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg
$ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb
$ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb
$ out/linux_clang_debug/traceconv text statsd.pb
Check logcat for denials.
Test: See above
Bug: 268661096
Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
diff --git a/private/stats.te b/private/stats.te
index 89b9488..5790faa 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -56,4 +56,5 @@
-system_app
-system_server
-traceur_app
+ -traced_probes
} stats_service:service_manager find;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 5cc271c..dfc4d07 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -100,8 +100,10 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
-# Allow traced_probes to talk to statsd for logging metrics.
+# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
unix_socket_send(traced_probes, statsdw, statsd)
+binder_call(traced_probes, statsd)
+allow traced_probes stats_service:service_manager find;
###
### Neverallow rules
diff --git a/public/statsd.te b/public/statsd.te
index e1c24c6..71597cc 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -34,6 +34,7 @@
binder_call(statsd, appdomain)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
+binder_call(statsd, traced_probes)
# Allow statsd to interact with gpuservice
allow statsd gpu_service:service_manager find;