platform_system_sepolicy/private/perfetto.te
Hector Dearman 3fa4ac55aa Allow adb root to send config to perfetto
The perfetto binary (the frontend to traced) reads an input config
from stdin. This CL adds allows perfetto to read the config
from adb shell when the user is rooted

Sample denials:
avc: denied { read } for comm="perfetto" path="pipe:[92340]"
dev="pipefs" ino=92340 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0
avc: denied { read } for comm="perfetto" path="pipe:[92491]"
dev="pipefs" ino=92491 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0
tclass=fifo_file permissive=0

Test: adb root
adb shell
echo 'duration_ms: 1000;' > /sdcard/config
cat /sdcard/config | perfetto --txt -c - -d

Change-Id: I12042dfa9a2c262cec907f0231ce2184f46d1be8
2018-11-20 10:05:45 +00:00

67 lines
2.4 KiB
Text

# Perfetto command-line client. Can be used only from the domains that are
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
type perfetto, domain, coredomain;
type perfetto_exec, system_file_type, exec_type, file_type;
tmpfs_domain(perfetto);
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
# Allow to access binder to pass the traces to Dropbox.
binder_use(perfetto)
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from statsd and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
allow perfetto { statsd shell su }:fd use;
allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
# allow adbd to reap perfetto
allow perfetto adbd:process { sigchld };
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
###
### Neverallow rules
###
### perfetto should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;
# Block device access.
neverallow perfetto dev_type:blk_file { read write };
# ptrace any other process
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
neverallow perfetto {
data_file_type
-system_data_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;