| Nikita Ioffe | 6069e7c | 2023-03-03 00:43:22 +0000 | [diff] [blame] | 1 | # SELinux policy for the traced daemon running inside Microdroid. |
| 2 | # For the host Android policy check system/sepolicy/private/traced.te |
| 3 | # So far, this is file contains a subset of rules defined for the host Android. |
| 4 | |
| 5 | type traced, domain, coredomain; |
| 6 | type traced_exec, system_file_type, exec_type, file_type; |
| 7 | type traced_tmpfs, file_type; |
| 8 | |
| 9 | # Allow init to exec traced daemon |
| 10 | init_daemon_domain(traced) |
| 11 | |
| 12 | # Required for perfetto_produced macro |
| 13 | tmpfs_domain(traced) |
| 14 | |
| 15 | # Allow to pass a file descriptor for the output trace from "perfetto" (the |
| 16 | # cmdline client) and other shell binaries to traced and let traced write |
| 17 | # directly into that (rather than returning the trace contents over the socket). |
| 18 | allow traced perfetto:fd use; |
| 19 | allow traced shell:fd use; |
| 20 | allow traced shell:fifo_file { read write }; |
| 21 | |
| 22 | # Allow the service to create new files within /data/misc/perfetto-traces. |
| 23 | allow traced perfetto_traces_data_file:file create_file_perms; |
| 24 | allow traced perfetto_traces_data_file:dir rw_dir_perms; |
| 25 | |
| 26 | # Allow traced to use shared memory supplied by producers. Typically, traced |
| 27 | # (i.e. the tracing service) creates the shared memory used for data transfer |
| 28 | # from the producer. This rule allows an alternative scheme, where the producer |
| 29 | # creates the shared memory, that is then adopted by traced (after validating |
| 30 | # that it is appropriately sealed). |
| 31 | # This list has to replicate the tmpfs domains of all applicable domains that |
| 32 | # have perfetto_producer() macro applied to them. |
| 33 | # perfetto_tmpfs excluded as it should never need to use the producer-supplied |
| 34 | # shared memory scheme. |
| 35 | allow traced traced_probes_tmpfs:file { getattr map read write }; |
| 36 | |
| 37 | |
| 38 | ### |
| 39 | ### Neverallow rules |
| 40 | ### |
| 41 | ### traced should NEVER do any of this |
| 42 | |
| 43 | # Block device access. |
| 44 | neverallow traced dev_type:blk_file { read write }; |
| 45 | |
| 46 | # ptrace any other process |
| 47 | neverallow traced domain:process ptrace; |
| 48 | |
| 49 | # Disallows access to /data files, still allowing to write to file descriptors |
| 50 | # passed through the socket. |
| 51 | neverallow traced { |
| 52 | data_file_type |
| 53 | -perfetto_traces_data_file |
| 54 | # We need following 3 lines because allow rules for them are defined at the |
| 55 | # domain/coredomain level. |
| 56 | -system_data_file |
| 57 | -system_data_root_file |
| 58 | -vendor_data_file |
| 59 | }:dir *; |
| 60 | |
| 61 | neverallow traced system_data_file:dir ~{ getattr search }; |
| 62 | neverallow traced { |
| 63 | data_file_type |
| 64 | -perfetto_traces_data_file |
| 65 | }:file ~write; |
| 66 | |
| 67 | # Only init is allowed to enter the traced domain via exec() |
| 68 | neverallow { domain -init } traced:process transition; |
| 69 | neverallow * traced:process dyntransition; |