aed0f76ee9
Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
129 lines
4.7 KiB
Text
129 lines
4.7 KiB
Text
# Perfetto tracing probes, has tracefs access.
|
|
type traced_probes_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced_probes)
|
|
|
|
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
|
# producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow traced_probes traced:fd use;
|
|
allow traced_probes traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(traced_probes, traced_producer, traced)
|
|
|
|
# Allow traced_probes to access tracefs.
|
|
allow traced_probes debugfs_tracing:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing:file rw_file_perms;
|
|
allow traced_probes debugfs_trace_marker:file getattr;
|
|
|
|
# TODO(primiano): temporarily I/O tracing categories are still
|
|
# userdebug only until we nail down the blacklist/whitelist.
|
|
userdebug_or_eng(`
|
|
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
# Allow traced_probes to start with a higher scheduling class and then downgrade
|
|
# itself.
|
|
allow traced_probes self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow procfs access
|
|
r_dir_file(traced_probes, domain)
|
|
|
|
# Allow to read packages.list file.
|
|
allow traced_probes packages_list_file:file r_file_perms;
|
|
|
|
# Allow to log to kernel dmesg when starting / stopping ftrace.
|
|
allow traced_probes kmsg_device:chr_file write;
|
|
|
|
# Allow traced_probes to list the system partition.
|
|
allow traced_probes system_file:dir { open read };
|
|
|
|
# Allow traced_probes to list some of the data partition.
|
|
allow traced_probes self:global_capability_class_set dac_read_search;
|
|
|
|
allow traced_probes apk_data_file:dir { getattr open read search };
|
|
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
|
|
userdebug_or_eng(`
|
|
# search and getattr are granted via domain and coredomain, respectively.
|
|
allow traced_probes system_data_file:dir { open read };
|
|
')
|
|
allow traced_probes system_app_data_file:dir { getattr open read search };
|
|
allow traced_probes backup_data_file:dir { getattr open read search };
|
|
allow traced_probes bootstat_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
|
|
allow traced_probes user_profile_data_file:dir { getattr open read search };
|
|
|
|
# Allow traced_probes to run atrace. atrace pokes at system services to enable
|
|
# their userspace TRACE macros.
|
|
domain_auto_trans(traced_probes, atrace_exec, atrace);
|
|
|
|
# Allow traced_probes to kill atrace on timeout.
|
|
allow traced_probes atrace:process sigkill;
|
|
|
|
# Allow traced_probes to access /proc files for system stats.
|
|
# Note: trace data is NOT exposed to anything other than shell and privileged
|
|
# system apps that have access to the traced consumer socket.
|
|
allow traced_probes {
|
|
proc_meminfo
|
|
proc_vmstat
|
|
proc_stat
|
|
}:file r_file_perms;
|
|
|
|
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
|
|
hal_client_domain(traced_probes, hal_health)
|
|
hal_client_domain(traced_probes, hal_power_stats)
|
|
|
|
# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
|
|
hal_client_domain(traced_probes, hal_atrace)
|
|
|
|
# On debug builds allow to ingest system logs into the trace.
|
|
userdebug_or_eng(`read_logd(traced_probes)')
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced_probes should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced_probes self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced_probes dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow traced_probes domain:process ptrace;
|
|
|
|
# Disallows access to /data files.
|
|
neverallow traced_probes {
|
|
data_file_type
|
|
-apk_data_file
|
|
-dalvikcache_data_file
|
|
-system_data_file
|
|
-system_data_root_file
|
|
-system_app_data_file
|
|
-backup_data_file
|
|
-bootstat_data_file
|
|
-update_engine_data_file
|
|
-update_engine_log_data_file
|
|
-user_profile_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
|
|
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced_probes {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-packages_list_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file *;
|
|
|
|
# Only init is allowed to enter the traced_probes domain via exec()
|
|
neverallow { domain -init } traced_probes:process transition;
|
|
neverallow * traced_probes:process dyntransition;
|