# Perfetto tracing probes, has tracefs access. type traced_probes_exec, system_file_type, exec_type, file_type; type traced_probes_tmpfs, file_type; # Allow init to exec the daemon. init_daemon_domain(traced_probes) tmpfs_domain(traced_probes) # Write trace data to the Perfetto traced damon. This requires connecting to its # producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(traced_probes) # Allow traced_probes to access tracefs. allow traced_probes debugfs_tracing:dir r_dir_perms; allow traced_probes debugfs_tracing:file rw_file_perms; allow traced_probes debugfs_trace_marker:file getattr; allow traced_probes debugfs_tracing_printk_formats:file r_file_perms; # Allow traced_probes to access mm_events trace instance allow traced_probes debugfs_tracing_instances:dir search; allow traced_probes debugfs_mm_events_tracing:dir search; allow traced_probes debugfs_mm_events_tracing:file rw_file_perms; # TODO(primiano): temporarily I/O tracing categories are still # userdebug only until we nail down the denylist/allowlist. userdebug_or_eng(` allow traced_probes debugfs_tracing_debug:dir r_dir_perms; allow traced_probes debugfs_tracing_debug:file rw_file_perms; ') # Allow traced_probes to start with a higher scheduling class and then downgrade # itself. allow traced_probes self:global_capability_class_set { sys_nice }; # Allow procfs access r_dir_file(traced_probes, domain) # Allow to temporarily lift the kptr_restrict setting and build a symbolization # map reading /proc/kallsyms. userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)') allow traced_probes proc_kallsyms:file r_file_perms; # Allow to read packages.list file. allow traced_probes packages_list_file:file r_file_perms; # Allow to log to kernel dmesg when starting / stopping ftrace. allow traced_probes kmsg_device:chr_file write; # Allow traced_probes to list the system partition. allow traced_probes system_file:dir { open read }; # Allow traced_probes to list some of the data partition. allow traced_probes self:global_capability_class_set dac_read_search; allow traced_probes apk_data_file:dir { getattr open read search }; allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search }; allow traced_probes dalvikcache_data_file:dir { getattr open read search }; userdebug_or_eng(` # search and getattr are granted via domain and coredomain, respectively. allow traced_probes system_data_file:dir { open read }; ') allow traced_probes system_app_data_file:dir { getattr open read search }; allow traced_probes backup_data_file:dir { getattr open read search }; allow traced_probes bootstat_data_file:dir { getattr open read search }; allow traced_probes update_engine_data_file:dir { getattr open read search }; allow traced_probes update_engine_log_data_file:dir { getattr open read search }; allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search }; # Allow traced_probes to run atrace. atrace pokes at system services to enable # their userspace TRACE macros. domain_auto_trans(traced_probes, atrace_exec, atrace); # Allow traced_probes to kill atrace on timeout. allow traced_probes atrace:process sigkill; # Allow traced_probes to access /proc files for system stats. # Note: trace data is NOT exposed to anything other than shell and privileged # system apps that have access to the traced consumer socket. allow traced_probes { proc_meminfo proc_vmstat proc_stat }:file r_file_perms; # Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files allow traced_probes sysfs_devfreq_dir:dir r_dir_perms; allow traced_probes sysfs_devfreq_cur:file r_file_perms; # Allow access to the IHealth and IPowerStats HAL service for tracing battery counters. hal_client_domain(traced_probes, hal_health) hal_client_domain(traced_probes, hal_power_stats) # Allow access to Atrace HAL for enabling vendor/device specific tracing categories. hal_client_domain(traced_probes, hal_atrace) # On debug builds allow to ingest system logs into the trace. userdebug_or_eng(`read_logd(traced_probes)') # Allow traced_probes to talk to statsd for logging metrics. unix_socket_send(traced_probes, statsdw, statsd) ### ### Neverallow rules ### ### traced_probes should NEVER do any of this # Disallow mapping executable memory (execstack and exec are already disallowed # globally in domain.te). neverallow traced_probes self:process execmem; # Block device access. neverallow traced_probes dev_type:blk_file { read write }; # ptrace any other app neverallow traced_probes domain:process ptrace; # Disallows access to /data files. neverallow traced_probes { data_file_type -apex_module_data_file -apex_art_data_file -apk_data_file -dalvikcache_data_file -system_data_file -system_data_root_file -system_app_data_file -backup_data_file -bootstat_data_file -update_engine_data_file -update_engine_log_data_file -user_profile_root_file -user_profile_data_file # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file with_native_coverage(`-method_trace_data_file') }:file *; # Only init is allowed to enter the traced_probes domain via exec() neverallow { domain -init } traced_probes:process transition; neverallow * traced_probes:process dyntransition;