tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/perfetto.te
Yisroel Forta c5cb5a248d Add context that system server can access and perfetto can save traces to 
Give perfetto rw dir and create file permissions for new directory.
Give system server control to read, write, search, unlink files from new directory.

Test: locally ensure traces can be written by perfetto and accessed and deleted by system server
Bug: 293957254
Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-21 16:43:57 +00:00

146 lines
5.4 KiB
Text
Raw Blame History

# Perfetto command-line client. Can be used only from the domains that are
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
type perfetto_exec, system_file_type, exec_type, file_type;
type perfetto_tmpfs, file_type;
tmpfs_domain(perfetto);
# Allow init to start a trace (for perfetto_boottrace).
init_daemon_domain(perfetto)
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(perfetto)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;
# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
allow perfetto { statsd mm_events shell su }:fd use;
allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
# Allow adbd to reap perfetto.
allow perfetto adbd:process { sigchld };
# Allow perfetto to write to statsd.
unix_socket_send(perfetto, statsdw, statsd)
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
# perfetto log formatter calls isatty() on its stderr. Denial when running
# under adbd is harmless. Avoid generating denial logs.
dontaudit perfetto adbd:unix_stream_socket getattr;
dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
# As above, when adbd is running in "su" domain (only the ioctl is denied in
# practice).
dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
# Similarly, CTS tests end up hitting a denial on shell pipes.
dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
###
### Neverallow rules
###
# Disallow anyone else from being able to handle traces except selected system
# components.
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
-system_server # For accessing traces started by profiling apis.
} perfetto_traces_data_file:dir *;
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
} perfetto_traces_data_file:file ~{ getattr read };
### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;
# Block device access.
neverallow perfetto dev_type:blk_file { read write };
# ptrace any other process
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
neverallow perfetto {
data_file_type
-system_data_file
-system_data_root_file
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto {
system_data_file
-perfetto_traces_data_file
-perfetto_traces_profiling_data_file
}:dir ~{ getattr search };
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-perfetto_traces_profiling_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
Reference in a new issue View git blame Copy permalink