51dc7cb1d4
This allows the trace producer daemon to snapshot counters at high frequency in the trace. As usual for Perfetto, this data is NOT made available to arbitrary apps but only to an extremely limited subset of processes governed by selinux rules (currently shell and statsd). Bug: 115956288 Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
108 lines
4 KiB
Text
108 lines
4 KiB
Text
# Perfetto tracing probes, has tracefs access.
|
|
type traced_probes_exec, exec_type, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced_probes)
|
|
|
|
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
|
# producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow traced_probes traced:fd use;
|
|
allow traced_probes traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(traced_probes, traced_producer, traced)
|
|
|
|
# Allow traced_probes to access tracefs.
|
|
allow traced_probes debugfs_tracing:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing:file rw_file_perms;
|
|
allow traced_probes debugfs_trace_marker:file getattr;
|
|
|
|
# TODO(primiano): temporarily I/O tracing categories are still
|
|
# userdebug only until we nail down the blacklist/whitelist.
|
|
userdebug_or_eng(`
|
|
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
# Allow traced_probes to start with a higher scheduling class and then downgrade
|
|
# itself.
|
|
allow traced_probes self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow procfs access
|
|
r_dir_file(traced_probes, domain)
|
|
|
|
# Allow to log to kernel dmesg when starting / stopping ftrace.
|
|
allow traced_probes kmsg_device:chr_file write;
|
|
|
|
# Allow traced_probes to list the system partition.
|
|
allow traced_probes system_file:dir { open read };
|
|
|
|
# Allow traced_probes to list some of the data partition.
|
|
allow traced_probes self:global_capability_class_set dac_read_search;
|
|
|
|
allow traced_probes apk_data_file:dir { getattr open read search };
|
|
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
|
|
userdebug_or_eng(`
|
|
allow traced_probes system_data_file:dir { getattr open read search };
|
|
')
|
|
allow traced_probes system_app_data_file:dir { getattr open read search };
|
|
allow traced_probes backup_data_file:dir { getattr open read search };
|
|
allow traced_probes bootstat_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
|
|
allow traced_probes user_profile_data_file:dir { getattr open read search };
|
|
|
|
# Allow traced_probes to run atrace. atrace pokes at system services to enable
|
|
# their userspace TRACE macros.
|
|
domain_auto_trans(traced_probes, atrace_exec, atrace);
|
|
|
|
# This is needed for: path="/system/bin/linker64"
|
|
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
|
|
allow atrace traced_probes:fd use;
|
|
|
|
# Allow traced_probes to access /proc files for system stats.
|
|
# Note: trace data is NOT exposed to anything other than shell and privileged
|
|
# system apps that have access to the traced consumer socket.
|
|
allow traced_probes {
|
|
proc_meminfo
|
|
proc_vmstat
|
|
proc_stat
|
|
}:file r_file_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced_probes should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced_probes self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced_probes dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow traced_probes domain:process ptrace;
|
|
|
|
# Disallows access to /data files.
|
|
neverallow traced_probes {
|
|
data_file_type
|
|
-apk_data_file
|
|
-dalvikcache_data_file
|
|
-system_data_file
|
|
-system_app_data_file
|
|
-backup_data_file
|
|
-bootstat_data_file
|
|
-update_engine_data_file
|
|
-update_engine_log_data_file
|
|
-user_profile_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
}:dir *;
|
|
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
|
|
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
|
|
|
|
# Only init is allowed to enter the traced_probes domain via exec()
|
|
neverallow { domain -init } traced_probes:process transition;
|
|
neverallow * traced_probes:process dyntransition;
|