diff options
| author | Hector Dearman <hjd@google.com> | 2019-09-04 14:46:36 +0100 |
|---|---|---|
| committer | Peiyong Lin <lpy@google.com> | 2020-01-10 09:17:27 -0800 |
| commit | c0bad7b98f9d420698cfdc8e04dcea8352477905 (patch) | |
| tree | 6b38a022fa74e1302af9ea4070066b5b4931cbae | |
| parent | 4c06707b5ebf8a273e96e8dfcd53843ec90cb5e6 (diff) | |
| download | android_system_sepolicy-c0bad7b98f9d420698cfdc8e04dcea8352477905.tar.gz android_system_sepolicy-c0bad7b98f9d420698cfdc8e04dcea8352477905.tar.bz2 android_system_sepolicy-c0bad7b98f9d420698cfdc8e04dcea8352477905.zip | |
Allow adb forward to traced consumer socket
Currently shell can connect to the traced_consumer_socket allowing it to
configure/start/stop and collect traces. This allows a host tool (e.g. Android Studio or
https://ui.perfetto.dev) to connect to the device via adb and collect traces. It would
be better if rather than executing shell commands the host tool could directly communicate
with the consumer socket. This is possible using adb forward:
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
However in this case adbd is connecting to the socket - not shell.
This CL allows adbd to connect to the socket which allows host tools to collect
traces without having to do everything though shell commands.
Note that this patch also has additional change on prebuilts in order to
backport.
Denial:
08-30 11:28:05.809 10254 10254 W adbd : type=1400 audit(0.0:1129): avc: denied { write } for name="traced_consumer" dev="tmpfs" ino=6719 scontext=u:r:adbd:s0 tcontext=u:object_r:traced_consumer_socket:s0 tclass=sock_file permissive=0
Test: Cherry pick CL to master, make, flash
adb logcat | grep denied
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer
Bug: b/139536756
Change-Id: Ie08e687c0b06d0e1121009e8cd70319a8f907ae2
(cherry-picked from commit b56a49d979c228400abaae849e9df95d0c834f51)
| -rw-r--r-- | prebuilts/api/29.0/private/adbd.te | 4 | ||||
| -rw-r--r-- | private/adbd.te | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te index 2fa4af63..ec5c57ee 100644 --- a/prebuilts/api/29.0/private/adbd.te +++ b/prebuilts/api/29.0/private/adbd.te @@ -23,6 +23,10 @@ recovery_only(` unix_socket_connect(adbd, recovery, recovery) ') +# Control Perfetto traced and obtain traces from it. +# Needed to allow port forwarding directly to traced. +unix_socket_connect(adbd, traced_consumer, traced) + # Do not sanitize the environment or open fds of the shell. Allow signaling # created processes. allow adbd shell:process { noatsecure signal }; diff --git a/private/adbd.te b/private/adbd.te index 2fa4af63..ec5c57ee 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -23,6 +23,10 @@ recovery_only(` unix_socket_connect(adbd, recovery, recovery) ') +# Control Perfetto traced and obtain traces from it. +# Needed to allow port forwarding directly to traced. +unix_socket_connect(adbd, traced_consumer, traced) + # Do not sanitize the environment or open fds of the shell. Allow signaling # created processes. allow adbd shell:process { noatsecure signal }; |