| # Perfetto user-space tracing daemon (unprivileged) |
| |
| # type traced is defined under /public (because iorapd rules |
| # under public/ need to refer to it). |
| type traced_exec, system_file_type, exec_type, file_type; |
| |
| # Allow init to exec the daemon. |
| init_daemon_domain(traced) |
| tmpfs_domain(traced) |
| |
| # Allow apps in other MLS contexts (for multi-user) to access |
| # share memory buffers created by traced. |
| typeattribute traced_tmpfs mlstrustedobject; |
| |
| # Allow traced to start with a lower scheduling class and change |
| # class accordingly to what defined in the config provided by |
| # the privileged process that controls it. |
| allow traced self:global_capability_class_set { sys_nice }; |
| |
| # Allow to pass a file descriptor for the output trace from "perfetto" (the |
| # cmdline client) and other shell binaries to traced and let traced write |
| # directly into that (rather than returning the trace contents over the socket). |
| allow traced perfetto:fd use; |
| allow traced shell:fd use; |
| allow traced shell:fifo_file { read write }; |
| |
| # Allow the service to create new files within /data/misc/perfetto-traces. |
| allow traced perfetto_traces_data_file:file create_file_perms; |
| allow traced perfetto_traces_data_file:dir rw_dir_perms; |
| # ... and /data/misc/perfetto-traces/bugreport* |
| allow traced perfetto_traces_bugreport_data_file:file create_file_perms; |
| allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms; |
| |
| # Allow traceur to pass open file descriptors to traced, so traced can directly |
| # write into the output file without doing roundtrips over IPC. |
| allow traced traceur_app:fd use; |
| allow traced trace_data_file:file { read write }; |
| |
| # Allow perfetto to access the proxy service for notifying Traceur. |
| allow traced tracingproxy_service:service_manager find; |
| binder_use(traced); |
| binder_call(traced, system_server); |
| |
| # Allow iorapd to pass memfd descriptors to traced, so traced can directly |
| # write into the shmem buffer file without doing roundtrips over IPC. |
| allow traced iorapd:fd use; |
| allow traced iorapd_tmpfs:file { read write }; |
| |
| # Allow traced to use shared memory supplied by producers. Typically, traced |
| # (i.e. the tracing service) creates the shared memory used for data transfer |
| # from the producer. This rule allows an alternative scheme, where the producer |
| # creates the shared memory, that is then adopted by traced (after validating |
| # that it is appropriately sealed). |
| # This list has to replicate the tmpfs domains of all applicable domains that |
| # have perfetto_producer() macro applied to them. |
| # perfetto_tmpfs excluded as it should never need to use the producer-supplied |
| # shared memory scheme. |
| allow traced { |
| appdomain_tmpfs |
| heapprofd_tmpfs |
| surfaceflinger_tmpfs |
| traced_probes_tmpfs |
| userdebug_or_eng(`system_server_tmpfs') |
| }:file { getattr map read write }; |
| |
| # Allow traced to notify Traceur when a trace ends by setting the |
| # sys.trace.trace_end_signal property. |
| set_prop(traced, system_trace_prop) |
| # Allow to lazily start producers. |
| set_prop(traced, traced_lazy_prop) |
| |
| # Allow traced to talk to statsd for logging metrics. |
| unix_socket_send(traced, statsdw, statsd) |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### traced should NEVER do any of this |
| |
| # Disallow mapping executable memory (execstack and exec are already disallowed |
| # globally in domain.te). |
| neverallow traced self:process execmem; |
| |
| # Block device access. |
| neverallow traced dev_type:blk_file { read write }; |
| |
| # ptrace any other process |
| neverallow traced domain:process ptrace; |
| |
| # Disallows access to /data files, still allowing to write to file descriptors |
| # passed through the socket. |
| neverallow traced { |
| data_file_type |
| -perfetto_traces_data_file |
| -perfetto_traces_bugreport_data_file |
| -system_data_file |
| -system_data_root_file |
| # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a |
| # subsequent neverallow. Currently only getattr and search are allowed. |
| -vendor_data_file |
| -zoneinfo_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:dir *; |
| neverallow traced { system_data_file }:dir ~{ getattr search }; |
| neverallow traced zoneinfo_data_file:dir ~r_dir_perms; |
| neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; |
| neverallow traced { |
| data_file_type |
| -zoneinfo_data_file |
| -perfetto_traces_data_file |
| -perfetto_traces_bugreport_data_file |
| -trace_data_file |
| with_native_coverage(`-method_trace_data_file') |
| }:file ~write; |
| |
| # Only init is allowed to enter the traced domain via exec() |
| neverallow { domain -init } traced:process transition; |
| neverallow * traced:process dyntransition; |
| |
| # Limit the processes that can access tracingproxy_service. |
| neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find; |