commit 9fcf22bb812b9c34a1dc2cbdd70f71de76c14e8b
author Florian Mayer <fmayer@google.com> Fri Mar 02 10:52:56 2018 +0000
committer Primiano Tucci <primiano@google.com> Fri Mar 30 00:32:34 2018 +0000
tree ae1a3fbb79f94fe160b2b053f48f6a3668c3b02d
parent 4b625e4a358b5f594ac68cb5f7823bf9d5374a67

SELinux changes for I/O tracing.

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad

private/traced_probes.te

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 46d92f7..e6a3dfe 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,5 +1,4 @@
 # Perfetto tracing probes, has tracefs access.
-type traced_probes, domain, coredomain;
 type traced_probes_exec, exec_type, file_type;
 
 # Allow init to exec the daemon.
@@ -35,6 +34,21 @@
 # Allow traced_probes to list the system partition.
 allow traced_probes system_file:dir { open read };
 
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:capability dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read };
+allow traced_probes dalvikcache_data_file:dir { getattr open read };
+userdebug_or_eng(`
+allow traced_probes system_data_file:dir { getattr open read };
+')
+allow traced_probes system_app_data_file:dir { getattr open read };
+allow traced_probes backup_data_file:dir { getattr open read };
+allow traced_probes bootstat_data_file:dir { getattr open read };
+allow traced_probes update_engine_data_file:dir { getattr open read };
+allow traced_probes update_engine_log_data_file:dir { getattr open read };
+allow traced_probes user_profile_data_file:dir { getattr open read };
+
 # Allow traced_probes to run atrace. atrace pokes at system services to enable
 # their userspace TRACE macros.
 domain_auto_trans(traced_probes, atrace_exec, atrace);
@@ -61,13 +75,21 @@
 # Disallows access to /data files.
 neverallow traced_probes {
   data_file_type
+  -apk_data_file
+  -dalvikcache_data_file
   -system_data_file
+  -system_app_data_file
+  -backup_data_file
+  -bootstat_data_file
+  -update_engine_data_file
+  -update_engine_log_data_file
+  -user_profile_data_file
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
   -zoneinfo_data_file
 }:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
 neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;