Merge "sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout"

41ddb80c · Lalit Maganti · Gerrit Code Review · 0f3decf2 · d6ae1a5e · 41ddb80c
Commit 41ddb80c authored 6 years ago by Lalit Maganti Committed by Gerrit Code Review 6 years ago
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@ allow atrace debugfs_tracing:dir r_dir_perms;
 allow atrace debugfs_tracing:file rw_file_perms;
 allow atrace debugfs_trace_marker:file getattr;
+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
 # atrace sets debug.atrace.* properties
 set_prop(atrace, debug_prop)

--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@ allow traced_probes user_profile_data_file:dir { getattr open read search };
 # their userspace TRACE macros.
 domain_auto_trans(traced_probes, atrace_exec, atrace);
-# This is needed for: path="/system/bin/linker64"
+# Allow traced_probes to kill atrace on timeout.
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow traced_probes atrace:process sigkill;
-allow atrace traced_probes:fd use;
 # Allow traced_probes to access /proc files for system stats.
 # Note: trace data is NOT exposed to anything other than shell and privileged