platform_system_sepolicy/prebuilts/api/31.0/private/traced.te
Carmen Jackson 2d6fb3971b Ensure that only desired processes can access TracingServiceProxy
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.

I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.

Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running and the expected trace is included in the
generated bugreport.

Change-Id: I28d0b1b08baac43a53fe5a1ff0f67b788d51dc74
Merged-In: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
2021-06-24 18:42:57 +00:00

121 lines
4.6 KiB
Text

# Perfetto user-space tracing daemon (unprivileged)
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
tmpfs_domain(traced)
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
typeattribute traced_tmpfs mlstrustedobject;
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };
# Allow to pass a file descriptor for the output trace from "perfetto" (the
# cmdline client) and other shell binaries to traced and let traced write
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
allow traced shell:fifo_file { read write };
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
# ... and /data/misc/perfetto-traces/bugreport*
allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
# Allow perfetto to access the proxy service for notifying Traceur.
allow traced tracingproxy_service:service_manager find;
binder_use(traced);
binder_call(traced, system_server);
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
# creates the shared memory, that is then adopted by traced (after validating
# that it is appropriately sealed).
# This list has to replicate the tmpfs domains of all applicable domains that
# have perfetto_producer() macro applied to them.
# perfetto_tmpfs excluded as it should never need to use the producer-supplied
# shared memory scheme.
allow traced {
appdomain_tmpfs
heapprofd_tmpfs
surfaceflinger_tmpfs
traced_probes_tmpfs
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
# Allow traced to talk to statsd for logging metrics.
unix_socket_send(traced, statsdw, statsd)
###
### Neverallow rules
###
### traced should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;
# Block device access.
neverallow traced dev_type:blk_file { read write };
# ptrace any other process
neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;