a64d5bb7ef
When recording hour-long traces, logcat messages help to interpret the trace, giving human readable context on what is happening on the system. Furthermore this is particularly helpful for startup debugging thanks to activity manager instrumentation events (am_on_create_called, am_on_start, ...). This is only allowed on userdebug/eng builds. Bug: 122243384 Change-Id: I4dfaebf21107e9853b0bf42403fbab6c3b4d5141
114 lines
4.3 KiB
Text
114 lines
4.3 KiB
Text
# Perfetto tracing probes, has tracefs access.
|
|
type traced_probes_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced_probes)
|
|
|
|
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
|
# producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow traced_probes traced:fd use;
|
|
allow traced_probes traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(traced_probes, traced_producer, traced)
|
|
|
|
# Allow traced_probes to access tracefs.
|
|
allow traced_probes debugfs_tracing:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing:file rw_file_perms;
|
|
allow traced_probes debugfs_trace_marker:file getattr;
|
|
|
|
# TODO(primiano): temporarily I/O tracing categories are still
|
|
# userdebug only until we nail down the blacklist/whitelist.
|
|
userdebug_or_eng(`
|
|
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
|
|
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
|
')
|
|
|
|
# Allow traced_probes to start with a higher scheduling class and then downgrade
|
|
# itself.
|
|
allow traced_probes self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow procfs access
|
|
r_dir_file(traced_probes, domain)
|
|
|
|
# Allow to log to kernel dmesg when starting / stopping ftrace.
|
|
allow traced_probes kmsg_device:chr_file write;
|
|
|
|
# Allow traced_probes to list the system partition.
|
|
allow traced_probes system_file:dir { open read };
|
|
|
|
# Allow traced_probes to list some of the data partition.
|
|
allow traced_probes self:global_capability_class_set dac_read_search;
|
|
|
|
allow traced_probes apk_data_file:dir { getattr open read search };
|
|
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
|
|
userdebug_or_eng(`
|
|
allow traced_probes system_data_file:dir { getattr open read search };
|
|
')
|
|
allow traced_probes system_app_data_file:dir { getattr open read search };
|
|
allow traced_probes backup_data_file:dir { getattr open read search };
|
|
allow traced_probes bootstat_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_data_file:dir { getattr open read search };
|
|
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
|
|
allow traced_probes user_profile_data_file:dir { getattr open read search };
|
|
|
|
# Allow traced_probes to run atrace. atrace pokes at system services to enable
|
|
# their userspace TRACE macros.
|
|
domain_auto_trans(traced_probes, atrace_exec, atrace);
|
|
|
|
# Allow traced_probes to kill atrace on timeout.
|
|
allow traced_probes atrace:process sigkill;
|
|
|
|
# Allow traced_probes to access /proc files for system stats.
|
|
# Note: trace data is NOT exposed to anything other than shell and privileged
|
|
# system apps that have access to the traced consumer socket.
|
|
allow traced_probes {
|
|
proc_meminfo
|
|
proc_vmstat
|
|
proc_stat
|
|
}:file r_file_perms;
|
|
|
|
# Allow access to the IHealth HAL service for tracing battery counters.
|
|
hal_client_domain(traced_probes, hal_health)
|
|
|
|
# On debug builds allow to ingest system logs into the trace.
|
|
userdebug_or_eng(`read_logd(traced_probes)')
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced_probes should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced_probes self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced_probes dev_type:blk_file { read write };
|
|
|
|
# ptrace any other app
|
|
neverallow traced_probes domain:process ptrace;
|
|
|
|
# Disallows access to /data files.
|
|
neverallow traced_probes {
|
|
data_file_type
|
|
-apk_data_file
|
|
-dalvikcache_data_file
|
|
-system_data_file
|
|
-system_app_data_file
|
|
-backup_data_file
|
|
-bootstat_data_file
|
|
-update_engine_data_file
|
|
-update_engine_log_data_file
|
|
-user_profile_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
}:dir *;
|
|
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
|
|
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
|
|
|
|
# Only init is allowed to enter the traced_probes domain via exec()
|
|
neverallow { domain -init } traced_probes:process transition;
|
|
neverallow * traced_probes:process dyntransition;
|