sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout

This CL adds rules to allow traced_probes to dup a pipe as the stderr for atrace and also send a sigkill to atrace after a timeout. This fixes b/119656920 Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb

sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout
d6ae1a5e · Lalit Maganti · e00ca14c · d6ae1a5e · d6ae1a5e
Commit d6ae1a5e authored 6 years ago by Lalit Maganti
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@ allow atrace debugfs_tracing:dir r_dir_perms;
 allow atrace debugfs_tracing:file rw_file_perms;
 allow atrace debugfs_trace_marker:file getattr;

+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
+
 # atrace sets debug.atrace.* properties
 set_prop(atrace, debug_prop)


--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@ allow traced_probes user_profile_data_file:dir { getattr open read search };
 # their userspace TRACE macros.
 domain_auto_trans(traced_probes, atrace_exec, atrace);

-# This is needed for: path="/system/bin/linker64"
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
-allow atrace traced_probes:fd use;
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;

 # Allow traced_probes to access /proc files for system stats.
 # Note: trace data is NOT exposed to anything other than shell and privileged