Add producer socket to the selinux perfetto domain.
This change allows the perfetto cmdline client to access
the (unprivileged) producer socket of traced, with the
intent of triggering finalization of already running traces
(see b/130135730). Matching change: aosp/932138
Note that:
- perfetto cmdline can already access the consumer socket
(to start tracing sessions).
- The producer socket is already exposed to most domains,
including unprivileged apps.
Bug: 130135730
Bug: 128966650
Test: manual
(cherry picked from commit cdda2dc3c943030f6bc9b1e256be860086c88440)
Merged-In: Id9106279584798e6689102085fa46a0b7ecb1ba7
Change-Id: Id9106279584798e6689102085fa46a0b7ecb1ba7
diff --git a/private/perfetto.te b/private/perfetto.te
index 128205b..28ea868 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -11,6 +11,13 @@
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow perfetto traced:fd use;
+allow perfetto traced_tmpfs:file { read write getattr map };
+unix_socket_connect(perfetto, traced_producer, traced)
+
+
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;