ce9c0c5a5f
Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
84 lines
3 KiB
Text
84 lines
3 KiB
Text
# Perfetto user-space tracing daemon (unprivileged)
|
|
|
|
# type traced is defined under /public (because iorapd rules
|
|
# under public/ need to refer to it).
|
|
type traced_exec, system_file_type, exec_type, file_type;
|
|
type traced_tmpfs, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced)
|
|
tmpfs_domain(traced)
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
|
# share memory buffers created by traced.
|
|
typeattribute traced_tmpfs mlstrustedobject;
|
|
|
|
# Allow traced to start with a lower scheduling class and change
|
|
# class accordingly to what defined in the config provided by
|
|
# the privileged process that controls it.
|
|
allow traced self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow to pass a file descriptor for the output trace from "perfetto" (the
|
|
# cmdline client) and other shell binaries to traced and let traced write
|
|
# directly into that (rather than returning the trace contents over the socket).
|
|
allow traced perfetto:fd use;
|
|
allow traced shell:fd use;
|
|
allow traced shell:fifo_file { read write };
|
|
allow traced perfetto_traces_data_file:file { read write };
|
|
|
|
# Allow traceur to pass open file descriptors to traced, so traced can directly
|
|
# write into the output file without doing roundtrips over IPC.
|
|
allow traced traceur_app:fd use;
|
|
allow traced trace_data_file:file { read write };
|
|
|
|
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
|
|
# write into the shmem buffer file without doing roundtrips over IPC.
|
|
allow traced iorapd:fd use;
|
|
allow traced iorapd_tmpfs:file { read write };
|
|
|
|
# Allow traced to notify Traceur when a trace ends by setting the
|
|
# sys.trace.trace_end_signal property.
|
|
set_prop(traced, system_trace_prop)
|
|
# Allow to lazily start producers.
|
|
set_prop(traced, traced_lazy_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced dev_type:blk_file { read write };
|
|
|
|
# ptrace any other process
|
|
neverallow traced domain:process ptrace;
|
|
|
|
# Disallows access to /data files, still allowing to write to file descriptors
|
|
# passed through the socket.
|
|
neverallow traced {
|
|
data_file_type
|
|
-system_data_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow traced { system_data_file }:dir ~{ getattr search };
|
|
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
-trace_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file ~write;
|
|
|
|
# Only init is allowed to enter the traced domain via exec()
|
|
neverallow { domain -init } traced:process transition;
|
|
neverallow * traced:process dyntransition;
|