diff options
Diffstat (limited to 'prebuilts/api/32.0/private/traced.te')
| -rw-r--r-- | prebuilts/api/32.0/private/traced.te | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/traced.te b/prebuilts/api/32.0/private/traced.te new file mode 100644 index 000000000..fc9a2455a --- /dev/null +++ b/prebuilts/api/32.0/private/traced.te @@ -0,0 +1,121 @@ +# Perfetto user-space tracing daemon (unprivileged) + +# type traced is defined under /public (because iorapd rules +# under public/ need to refer to it). +type traced_exec, system_file_type, exec_type, file_type; + +# Allow init to exec the daemon. +init_daemon_domain(traced) +tmpfs_domain(traced) + +# Allow apps in other MLS contexts (for multi-user) to access +# share memory buffers created by traced. +typeattribute traced_tmpfs mlstrustedobject; + +# Allow traced to start with a lower scheduling class and change +# class accordingly to what defined in the config provided by +# the privileged process that controls it. +allow traced self:global_capability_class_set { sys_nice }; + +# Allow to pass a file descriptor for the output trace from "perfetto" (the +# cmdline client) and other shell binaries to traced and let traced write +# directly into that (rather than returning the trace contents over the socket). +allow traced perfetto:fd use; +allow traced shell:fd use; +allow traced shell:fifo_file { read write }; + +# Allow the service to create new files within /data/misc/perfetto-traces. +allow traced perfetto_traces_data_file:file create_file_perms; +allow traced perfetto_traces_data_file:dir rw_dir_perms; +# ... and /data/misc/perfetto-traces/bugreport* +allow traced perfetto_traces_bugreport_data_file:file create_file_perms; +allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms; + +# Allow traceur to pass open file descriptors to traced, so traced can directly +# write into the output file without doing roundtrips over IPC. +allow traced traceur_app:fd use; +allow traced trace_data_file:file { read write }; + +# Allow perfetto to access the proxy service for notifying Traceur. +allow traced tracingproxy_service:service_manager find; +binder_use(traced); +binder_call(traced, system_server); + +# Allow iorapd to pass memfd descriptors to traced, so traced can directly +# write into the shmem buffer file without doing roundtrips over IPC. +allow traced iorapd:fd use; +allow traced iorapd_tmpfs:file { read write }; + +# Allow traced to use shared memory supplied by producers. Typically, traced +# (i.e. the tracing service) creates the shared memory used for data transfer +# from the producer. This rule allows an alternative scheme, where the producer +# creates the shared memory, that is then adopted by traced (after validating +# that it is appropriately sealed). +# This list has to replicate the tmpfs domains of all applicable domains that +# have perfetto_producer() macro applied to them. +# perfetto_tmpfs excluded as it should never need to use the producer-supplied +# shared memory scheme. +allow traced { + appdomain_tmpfs + heapprofd_tmpfs + surfaceflinger_tmpfs + traced_probes_tmpfs + userdebug_or_eng(`system_server_tmpfs') +}:file { getattr map read write }; + +# Allow traced to notify Traceur when a trace ends by setting the +# sys.trace.trace_end_signal property. +set_prop(traced, system_trace_prop) +# Allow to lazily start producers. +set_prop(traced, traced_lazy_prop) + +# Allow traced to talk to statsd for logging metrics. +unix_socket_send(traced, statsdw, statsd) + +### +### Neverallow rules +### +### traced should NEVER do any of this + +# Disallow mapping executable memory (execstack and exec are already disallowed +# globally in domain.te). +neverallow traced self:process execmem; + +# Block device access. +neverallow traced dev_type:blk_file { read write }; + +# ptrace any other process +neverallow traced domain:process ptrace; + +# Disallows access to /data files, still allowing to write to file descriptors +# passed through the socket. +neverallow traced { + data_file_type + -perfetto_traces_data_file + -perfetto_traces_bugreport_data_file + -system_data_file + -system_data_root_file + # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a + # subsequent neverallow. Currently only getattr and search are allowed. + -vendor_data_file + -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') +}:dir *; +neverallow traced { system_data_file }:dir ~{ getattr search }; +neverallow traced zoneinfo_data_file:dir ~r_dir_perms; +neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; +neverallow traced { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + -perfetto_traces_bugreport_data_file + -trace_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; + +# Only init is allowed to enter the traced domain via exec() +neverallow { domain -init } traced:process transition; +neverallow * traced:process dyntransition; + +# Limit the processes that can access tracingproxy_service. +neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find; |