From 54a86e2b5cebb91e8f63e62059f5816119eb555c Mon Sep 17 00:00:00 2001
From: Primiano Tucci <primiano@google.com>
Date: Fri, 2 Mar 2018 19:27:06 +0000
Subject: [PATCH] perfetto: allow traced_probes to execute atrace

This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

Change-Id: I2b0a66dcb519cb296e1d0e6e3f15a425dc809089
Bug: 73340039
---
 private/traced_probes.te | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 22746e76b..1d8341157 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,6 +35,27 @@ allow traced_probes kmsg_device:chr_file write;
 # Allow traced_probes to list the system partition.
 allow traced_probes system_file:dir { open read };
 
+# ----- Begin of policies for exec(atrace) -----
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+
+allow traced_probes atrace_exec:file rx_file_perms;
+
+# This is needed for: path="/system/bin/linker64"
+# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow atrace traced_probes:fd use;
+
+# atrace sets debug.atrace.* properties to tell services to enable their
+# userspace tracing.
+set_prop(traced_probes, debug_prop)
+
+# And then sends them an IPC to tell them to re-read that property.
+binder_use(traced_probes)
+allow traced_probes healthd:binder call;
+allow traced_probes surfaceflinger:binder call;
+get_prop(traced_probes, hwservicemanager_prop)
+# ----- End of policies for exec(atrace) -----
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab