commit c80f9e037bedb09d08a261f255f87ea105fa371b
author Primiano Tucci <primiano@google.com> Thu Dec 21 03:51:15 2017 +0100
committer Primiano Tucci <primiano@google.com> Wed Jan 10 00:18:46 2018 +0000
tree 1848d90af76a40ae0e3d26906141645b4df3dc59
parent 31b11d8ef894f60d1d63de6c5fc9d75f59d50bcc

Perfetto SELinux policies

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405

private/traced.te

diff --git a/private/traced.te b/private/traced.te
new file mode 100644
index 0000000..bb7a091
--- /dev/null
+++ b/private/traced.te
@@ -0,0 +1,38 @@
+# Perfetto user-space tracing daemon (unprivileged)
+type traced, domain, coredomain;
+type traced_exec, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced)
+
+# Allow traced to start with a lower scheduling class and change
+# class accordingly to what defined in the config provided by
+# the privileged process that controls it.
+allow traced self:global_capability_class_set { sys_nice };
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced self:process execmem;
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;