54a86e2b5c
This CL adds the SELinux permissions required to execute atrace and get userspace tracing events from system services. This is to enable tracing of events coming from surfaceflinger, audio HAL, etc. atrace, when executed, sets a bunch of debug.atrace. properties and sends an IPC via binder/hwbinder to tell the services to reload that property. Change-Id: I2b0a66dcb519cb296e1d0e6e3f15a425dc809089 Bug: 73340039
90 lines
3.2 KiB
Text
90 lines
3.2 KiB
Text
# Perfetto tracing probes, has tracefs access.
|
|
type traced_probes, domain, coredomain;
|
|
type traced_probes_exec, exec_type, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced_probes)
|
|
|
|
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
|
# producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow traced_probes traced:fd use;
|
|
allow traced_probes traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(traced_probes, traced_producer, traced)
|
|
|
|
# Allow traced_probes to access tracefs.
|
|
allow traced_probes debugfs_tracing:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing:file rw_file_perms;
|
|
allow traced_probes debugfs_trace_marker:file getattr;
|
|
|
|
# TODO(primiano): temporarily I/O tracing categories are still
|
|
# userdebug only until we nail down the blacklist/whitelist.
|
|
userdebug_or_eng(`
|
|
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
# Allow traced_probes to start with a higher scheduling class and then downgrade
|
|
# itself.
|
|
allow traced_probes self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow procfs access
|
|
r_dir_file(traced_probes, domain)
|
|
|
|
# Allow to log to kernel dmesg when starting / stopping ftrace.
|
|
allow traced_probes kmsg_device:chr_file write;
|
|
|
|
# Allow traced_probes to list the system partition.
|
|
allow traced_probes system_file:dir { open read };
|
|
|
|
# ----- Begin of policies for exec(atrace) -----
|
|
# Allow traced_probes to run atrace. atrace pokes at system services to enable
|
|
# their userspace TRACE macros.
|
|
|
|
allow traced_probes atrace_exec:file rx_file_perms;
|
|
|
|
# This is needed for: path="/system/bin/linker64"
|
|
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
|
|
allow atrace traced_probes:fd use;
|
|
|
|
# atrace sets debug.atrace.* properties to tell services to enable their
|
|
# userspace tracing.
|
|
set_prop(traced_probes, debug_prop)
|
|
|
|
# And then sends them an IPC to tell them to re-read that property.
|
|
binder_use(traced_probes)
|
|
allow traced_probes healthd:binder call;
|
|
allow traced_probes surfaceflinger:binder call;
|
|
get_prop(traced_probes, hwservicemanager_prop)
|
|
# ----- End of policies for exec(atrace) -----
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced_probes should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced_probes self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced_probes dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow traced_probes domain:process ptrace;
|
|
|
|
# Disallows access to /data files.
|
|
neverallow traced_probes {
|
|
data_file_type
|
|
-system_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
}:dir *;
|
|
neverallow traced_probes system_data_file:dir ~{ getattr search };
|
|
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
|
|
|
|
# Only init is allowed to enter the traced_probes domain via exec()
|
|
neverallow { domain -init } traced_probes:process transition;
|
|
neverallow * traced_probes:process dyntransition;
|