Merge "Allow iorapd to access perfetto"
diff --git a/private/traced.te b/private/traced.te
index 33c5ac0..f58aa0f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,5 +1,7 @@
# Perfetto user-space tracing daemon (unprivileged)
-type traced, domain, coredomain, mlstrustedsubject;
+
+# type traced is defined under /public (because iorapd rules
+# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -19,10 +21,18 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
-allow traced traceur_app:fd use;
allow traced perfetto_traces_data_file:file { read write };
+
+# Allow traceur to pass open file descriptors to traced, so traced can directly
+# write into the output file without doing roundtrips over IPC.
+allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
+# Allow iorapd to pass memfd descriptors to traced, so traced can directly
+# write into the shmem buffer file without doing roundtrips over IPC.
+allow traced iorapd:fd use;
+allow traced iorapd_tmpfs:file { read write };
+
###
### Neverallow rules
###
diff --git a/public/iorapd.te b/public/iorapd.te
index c056943..f2df0b0 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -31,6 +31,9 @@
# iorapd temporarily changes its priority when running benchmarks
allow iorapd self:global_capability_class_set sys_nice;
+# Allow to access Perfetto traced's privileged consumer socket to start/stop
+# tracing sessions and read trace data.
+unix_socket_connect(iorapd, traced_consumer, traced)
###
### neverallow rules
diff --git a/public/traced.te b/public/traced.te
new file mode 100644
index 0000000..ec5b850
--- /dev/null
+++ b/public/traced.te
@@ -0,0 +1,2 @@
+type traced, domain, coredomain, mlstrustedsubject;
+