1# Perfetto command-line client. Can be used only from the domains that are 2# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto). 3# This command line client accesses the privileged socket of the traced 4# daemon. 5 6type perfetto_exec, system_file_type, exec_type, file_type; 7type perfetto_tmpfs, file_type; 8 9tmpfs_domain(perfetto); 10 11# Allow to access traced's privileged consumer socket. 12unix_socket_connect(perfetto, traced_consumer, traced) 13 14# Connect to the Perfetto traced daemon as a producer. This requires 15# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 16perfetto_producer(perfetto) 17 18# Allow to write and unlink traces into /data/misc/perfetto-traces. 19allow perfetto perfetto_traces_data_file:dir rw_dir_perms; 20allow perfetto perfetto_traces_data_file:file create_file_perms; 21 22# Allow to access binder to pass the traces to Dropbox. 23binder_use(perfetto) 24binder_call(perfetto, system_server) 25allow perfetto dropbox_service:service_manager find; 26 27# Allow perfetto to read the trace config from /data/misc/perfetto-configs. 28# shell and adb can write files into that directory. 29allow perfetto perfetto_configs_data_file:dir r_dir_perms; 30allow perfetto perfetto_configs_data_file:file r_file_perms; 31 32# Allow perfetto to read the trace config from statsd, mm_events and shell 33# (both root and non-root) on stdin and also to write the resulting trace to 34# stdout. 35allow perfetto { statsd mm_events shell su }:fd use; 36allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write }; 37 38# Allow to communicate use, read and write over the adb connection. 39allow perfetto adbd:fd use; 40allow perfetto adbd:unix_stream_socket { read write }; 41 42# Allow adbd to reap perfetto. 43allow perfetto adbd:process { sigchld }; 44 45# Allow perfetto to write to statsd. 46unix_socket_send(perfetto, statsdw, statsd) 47 48# Allow to access /dev/pts when launched in an adb shell. 49allow perfetto devpts:chr_file rw_file_perms; 50 51# Allow perfetto to ask incidentd to start a report. 52allow perfetto incident_service:service_manager find; 53binder_call(perfetto, incidentd) 54 55# perfetto log formatter calls isatty() on its stderr. Denial when running 56# under adbd is harmless. Avoid generating denial logs. 57dontaudit perfetto adbd:unix_stream_socket getattr; 58dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls; 59# As above, when adbd is running in "su" domain (only the ioctl is denied in 60# practice). 61dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls; 62# Similarly, CTS tests end up hitting a denial on shell pipes. 63dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls; 64 65### 66### Neverallow rules 67### 68### perfetto should NEVER do any of this 69 70# Disallow mapping executable memory (execstack and exec are already disallowed 71# globally in domain.te). 72neverallow perfetto self:process execmem; 73 74# Block device access. 75neverallow perfetto dev_type:blk_file { read write }; 76 77# ptrace any other process 78neverallow perfetto domain:process ptrace; 79 80# Disallows access to other /data files. 81neverallow perfetto { 82 data_file_type 83 -system_data_file 84 -system_data_root_file 85 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 86 # neverallow. Currently only getattr and search are allowed. 87 -vendor_data_file 88 -zoneinfo_data_file 89 -perfetto_traces_data_file 90 -perfetto_configs_data_file 91 with_native_coverage(`-method_trace_data_file') 92}:dir *; 93neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; 94neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; 95neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; 96neverallow perfetto { 97 data_file_type 98 -zoneinfo_data_file 99 -perfetto_traces_data_file 100 -perfetto_configs_data_file 101 with_native_coverage(`-method_trace_data_file') 102}:file ~write; 103