sepolicy: add permissions for trace reporting
Bug: 205892741
Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..36cccdf 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -31,6 +31,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
diff --git a/private/perfetto.te b/private/perfetto.te
index 174855f..5897aed 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -52,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -68,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..2535222 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -86,6 +86,13 @@
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 68792e8..ee454a6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -524,9 +524,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
diff --git a/private/traced.te b/private/traced.te
index fc9a245..a6e200e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -118,4 +118,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;