| Primiano Tucci | c80f9e0 | 2017-12-21 03:51:15 +0100 | [diff] [blame^] | 1 | # Perfetto tracing probes, has tracefs access. |
| 2 | type traced_probes, domain, coredomain; |
| 3 | type traced_probes_exec, exec_type, file_type; |
| 4 | |
| 5 | # Allow init to exec the daemon. |
| 6 | init_daemon_domain(traced_probes) |
| 7 | |
| 8 | # Write trace data to the Perfetto traced damon. This requires connecting to its |
| 9 | # producer socket and obtaining a (per-process) tmpfs fd. |
| 10 | allow traced_probes traced:fd use; |
| 11 | allow traced_probes traced_tmpfs:file { read write getattr map }; |
| 12 | unix_socket_connect(traced_probes, traced_producer, traced) |
| 13 | |
| 14 | # Allow traced_probes to access tracefs. |
| 15 | # TODO(primiano): For the moment this is userdebug/eng only until we get an |
| 16 | # approval for user builds. |
| 17 | userdebug_or_eng(` |
| 18 | allow traced_probes debugfs_tracing:dir r_dir_perms; |
| 19 | allow traced_probes debugfs_tracing:file rw_file_perms; |
| 20 | allow traced_probes debugfs_tracing_debug:file rw_file_perms; |
| 21 | allow traced_probes debugfs_trace_marker:file getattr; |
| 22 | ') |
| 23 | |
| 24 | # Allow traced_probes to start with a higher scheduling class and then downgrade |
| 25 | # itself. |
| 26 | allow traced_probes self:global_capability_class_set { sys_nice }; |
| 27 | |
| 28 | # Allow procfs access |
| 29 | r_dir_file(traced_probes, domain) |
| 30 | |
| 31 | ### |
| 32 | ### Neverallow rules |
| 33 | ### |
| 34 | ### traced_probes should NEVER do any of this |
| 35 | |
| 36 | # Disallow mapping executable memory (execstack and exec are already disallowed |
| 37 | # globally in domain.te). |
| 38 | neverallow traced_probes self:process execmem; |
| 39 | |
| 40 | # Block device access. |
| 41 | neverallow traced_probes dev_type:blk_file { read write }; |
| 42 | |
| 43 | # ptrace any other app |
| 44 | neverallow traced_probes domain:process ptrace; |
| 45 | |
| 46 | # Disallows access to /data files. |
| 47 | neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *; |
| 48 | neverallow traced system_data_file:dir ~{ getattr search }; |
| 49 | neverallow traced zoneinfo_data_file:dir ~r_dir_perms; |
| 50 | neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; |
| 51 | neverallow traced { data_file_type -zoneinfo_data_file }:file *; |
| 52 | |
| 53 | # Only init is allowed to enter the traced_probes domain via exec() |
| 54 | neverallow { domain -init } traced_probes:process transition; |
| 55 | neverallow * traced_probes:process dyntransition; |