| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 1 | # Perfetto user-space tracing daemon (unprivileged) |
| Primiano Tucci | 5ef6669 | 2018-02-21 13:44:39 +0000 | [diff] [blame] | 2 | type traced, domain, coredomain, mlstrustedsubject; |
| Nick Kralevich | 5e37271 | 2018-09-27 10:21:37 -0700 | [diff] [blame] | 3 | type traced_exec, system_file_type, exec_type, file_type; |
| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 4 | |
| 5 | # Allow init to exec the daemon. |
| 6 | init_daemon_domain(traced) |
| 7 | |
| Primiano Tucci | 5ef6669 | 2018-02-21 13:44:39 +0000 | [diff] [blame] | 8 | # Allow apps in other MLS contexts (for multi-user) to access |
| 9 | # share memory buffers created by traced. |
| 10 | typeattribute traced_tmpfs mlstrustedobject; |
| 11 | |
| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 12 | # Allow traced to start with a lower scheduling class and change |
| 13 | # class accordingly to what defined in the config provided by |
| 14 | # the privileged process that controls it. |
| 15 | allow traced self:global_capability_class_set { sys_nice }; |
| 16 | |
| Primiano Tucci | 5d31732 | 2018-03-26 01:54:52 +0100 | [diff] [blame] | 17 | # Allow to pass a file descriptor for the output trace from "perfetto" (the |
| 18 | # cmdline client) and other shell binaries to traced and let traced write |
| 19 | # directly into that (rather than returning the trace contents over the socket). |
| 20 | allow traced perfetto:fd use; |
| 21 | allow traced shell:fd use; |
| Carmen Jackson | 9678e07 | 2019-01-10 12:17:40 -0800 | [diff] [blame] | 22 | allow traced traceur_app:fd use; |
| Primiano Tucci | 5d31732 | 2018-03-26 01:54:52 +0100 | [diff] [blame] | 23 | allow traced perfetto_traces_data_file:file { read write }; |
| Carmen Jackson | 9678e07 | 2019-01-10 12:17:40 -0800 | [diff] [blame] | 24 | allow traced trace_data_file:file { read write }; |
| Primiano Tucci | 5d31732 | 2018-03-26 01:54:52 +0100 | [diff] [blame] | 25 | |
| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 26 | ### |
| 27 | ### Neverallow rules |
| 28 | ### |
| 29 | ### traced should NEVER do any of this |
| 30 | |
| 31 | # Disallow mapping executable memory (execstack and exec are already disallowed |
| 32 | # globally in domain.te). |
| 33 | neverallow traced self:process execmem; |
| 34 | |
| 35 | # Block device access. |
| 36 | neverallow traced dev_type:blk_file { read write }; |
| 37 | |
| 38 | # ptrace any other process |
| 39 | neverallow traced domain:process ptrace; |
| 40 | |
| 41 | # Disallows access to /data files, still allowing to write to file descriptors |
| 42 | # passed through the socket. |
| Jeff Vander Stoep | d25ccab | 2018-02-07 16:29:06 -0800 | [diff] [blame] | 43 | neverallow traced { |
| 44 | data_file_type |
| 45 | -system_data_file |
| 46 | # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a |
| 47 | # subsequent neverallow. Currently only getattr and search are allowed. |
| 48 | -vendor_data_file |
| 49 | -zoneinfo_data_file |
| 50 | }:dir *; |
| 51 | neverallow traced { system_data_file }:dir ~{ getattr search }; |
| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 52 | neverallow traced zoneinfo_data_file:dir ~r_dir_perms; |
| 53 | neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; |
| Primiano Tucci | 5d31732 | 2018-03-26 01:54:52 +0100 | [diff] [blame] | 54 | neverallow traced { |
| 55 | data_file_type |
| 56 | -zoneinfo_data_file |
| 57 | -perfetto_traces_data_file |
| Carmen Jackson | 9678e07 | 2019-01-10 12:17:40 -0800 | [diff] [blame] | 58 | -trace_data_file |
| Primiano Tucci | 5d31732 | 2018-03-26 01:54:52 +0100 | [diff] [blame] | 59 | }:file ~write; |
| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame] | 60 | |
| 61 | # Only init is allowed to enter the traced domain via exec() |
| 62 | neverallow { domain -init } traced:process transition; |
| 63 | neverallow * traced:process dyntransition; |