41a2abfc0d
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
75 lines
2.6 KiB
Text
75 lines
2.6 KiB
Text
# Perfetto user-space tracing daemon (unprivileged)
|
|
|
|
# type traced is defined under /public (because iorapd rules
|
|
# under public/ need to refer to it).
|
|
type traced_exec, system_file_type, exec_type, file_type;
|
|
type traced_tmpfs, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced)
|
|
tmpfs_domain(traced)
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
|
# share memory buffers created by traced.
|
|
typeattribute traced_tmpfs mlstrustedobject;
|
|
|
|
# Allow traced to start with a lower scheduling class and change
|
|
# class accordingly to what defined in the config provided by
|
|
# the privileged process that controls it.
|
|
allow traced self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow to pass a file descriptor for the output trace from "perfetto" (the
|
|
# cmdline client) and other shell binaries to traced and let traced write
|
|
# directly into that (rather than returning the trace contents over the socket).
|
|
allow traced perfetto:fd use;
|
|
allow traced shell:fd use;
|
|
allow traced perfetto_traces_data_file:file { read write };
|
|
|
|
# Allow traceur to pass open file descriptors to traced, so traced can directly
|
|
# write into the output file without doing roundtrips over IPC.
|
|
allow traced traceur_app:fd use;
|
|
allow traced trace_data_file:file { read write };
|
|
|
|
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
|
|
# write into the shmem buffer file without doing roundtrips over IPC.
|
|
allow traced iorapd:fd use;
|
|
allow traced iorapd_tmpfs:file { read write };
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced dev_type:blk_file { read write };
|
|
|
|
# ptrace any other process
|
|
neverallow traced domain:process ptrace;
|
|
|
|
# Disallows access to /data files, still allowing to write to file descriptors
|
|
# passed through the socket.
|
|
neverallow traced {
|
|
data_file_type
|
|
-system_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
}:dir *;
|
|
neverallow traced { system_data_file }:dir ~{ getattr search };
|
|
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
-trace_data_file
|
|
}:file ~write;
|
|
|
|
# Only init is allowed to enter the traced domain via exec()
|
|
neverallow { domain -init } traced:process transition;
|
|
neverallow * traced:process dyntransition;
|