commit c5401edfb4d65686275a3471e38cefbc1913a70f
author Steven Terrell <steventerrell@google.com> Thu Mar 28 17:50:53 2024 +0000
committer Steven Terrell <steventerrell@google.com> Wed Apr 03 23:35:36 2024 +0000
tree df356c8b96b2c4e47b6a642dc304860f342ff332
parent b30e2f05f7ed3dd2a79e2dc90f00a4da831fb1dc

Changes to allow trace redactor to run

Updates to allow profiling module to run new trace_redactor binary.
Allow the trace_redactor binary to read the input trace file and write
the output file.

Bug: 327423523
Test: build/flash and
      atest CtsProfilingModuleTests#testRequestSystemTraceSuccess
Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c76f030..8af0fda 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -483,6 +483,7 @@
 /system/bin/android.automotive.evs.manager@1.0                    evsmanagerd_exec
 /system/bin/android.automotive.evs.manager@1.99                   evsmanagerd_exec
 /system/bin/uprobestats                                           uprobestats_exec
+/system/bin/trace_redactor                                        trace_redactor_exec
 
 /vendor                                                           vendor_file
 /vendor/does_not_exist                                            vendor_file

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 193c033..2b1de69 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -339,6 +339,7 @@
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
+/system/bin/trace_redactor        u:object_r:trace_redactor_exec:s0
 /system/bin/heapprofd        u:object_r:heapprofd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 /system/bin/update_verifier u:object_r:update_verifier_exec:s0

private/perfetto.te

diff --git a/private/perfetto.te b/private/perfetto.te
index 616da39..07d4399 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -95,6 +95,7 @@
   -incidentd # For receiving reported traces. TODO(lalitm): remove this.
   -priv_app  # For stating traces for bug-report UI.
   -system_server # For accessing traces started by profiling apis.
+  -trace_redactor # For accessing traces to be redacted.
 } perfetto_traces_data_file:dir *;
 neverallow {
   domain
@@ -104,6 +105,7 @@
   -shell     # For devepment purposes.
   -traced    # For write_into_file traces.
   -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
+  -trace_redactor # For redacting trace files.
 } perfetto_traces_data_file:file ~{ getattr read };
 
 ### perfetto should NEVER do any of the following

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 9b3ddfd..bb84eed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -586,9 +586,14 @@
 
 # Allow system server to manage perfetto traces for ProfilingService.
 allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
-allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_profiling_data_file:file create_file_perms;
 allow system_server perfetto_traces_data_file:dir search;
 
+# Allow system server to exec the trace redactor cmdline client and kill the process for
+# ProfilingService.
+domain_auto_trans(system_server, trace_redactor_exec, trace_redactor);
+allow system_server trace_redactor:process signal;
+
 # Allow system server to kill perfetto processes for ProfilingService.
 allow system_server perfetto:process signal;
 
@@ -1319,7 +1324,8 @@
 
 # Ensure that system_server doesn't perform any domain transitions other than
 # transitioning to the crash_dump domain when a crash occurs or fork clatd.
-neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
+# add perfetto and trace_redactor which are exec'd from system server for ProfilingService.
+neverallow system_server { domain -clatd -crash_dump -perfetto -trace_redactor }:process transition;
 neverallow system_server *:process dyntransition;
 
 # Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.

private/trace_redactor.te

diff --git a/private/trace_redactor.te b/private/trace_redactor.te
new file mode 100644
index 0000000..fbca3fd
--- /dev/null
+++ b/private/trace_redactor.te
@@ -0,0 +1,13 @@
+# Trace Redactor command line
+type trace_redactor_exec, system_file_type, exec_type, file_type;
+type trace_redactor, domain, coredomain;
+
+# Use pipes provided by system_server
+allow trace_redactor system_server:fd use;
+allow trace_redactor system_server:fifo_file { read write getattr ioctl };
+
+# Allow trace_redactor to read output trace file and write to new redacted file.
+allow trace_redactor perfetto_traces_profiling_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:dir search;
+allow trace_redactor perfetto_traces_data_file:file { read getattr ioctl };
+allow trace_redactor perfetto_traces_profiling_data_file:file rw_file_perms;