• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Perfetto tracing probes, has tracefs access.
2type traced_probes_exec, system_file_type, exec_type, file_type;
3type traced_probes_tmpfs, file_type;
4
5# Allow init to exec the daemon.
6init_daemon_domain(traced_probes)
7tmpfs_domain(traced_probes)
8
9# Write trace data to the Perfetto traced damon. This requires connecting to its
10# producer socket and obtaining a (per-process) tmpfs fd.
11perfetto_producer(traced_probes)
12
13# Allow traced_probes to access tracefs.
14allow traced_probes debugfs_tracing:dir r_dir_perms;
15allow traced_probes debugfs_tracing:file rw_file_perms;
16allow traced_probes debugfs_trace_marker:file getattr;
17allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
18
19# Allow traced_probes to access mm_events trace instance
20allow traced_probes debugfs_tracing_instances:dir search;
21allow traced_probes debugfs_mm_events_tracing:dir search;
22allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
23
24# TODO(primiano): temporarily I/O tracing categories are still
25# userdebug only until we nail down the denylist/allowlist.
26userdebug_or_eng(`
27allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
28allow traced_probes debugfs_tracing_debug:file rw_file_perms;
29')
30
31# Allow traced_probes to start with a higher scheduling class and then downgrade
32# itself.
33allow traced_probes self:global_capability_class_set { sys_nice };
34
35# Allow procfs access
36r_dir_file(traced_probes, domain)
37
38# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
39# from init, as well as separately opening and locking the file for
40# coordinating the use of that shared fd.
41# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
42# lift kptr_restrict systemwide.
43userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
44allow traced_probes proc_kallsyms:file { open read lock };
45
46# Allow to read packages.list file.
47allow traced_probes packages_list_file:file r_file_perms;
48
49# Allow to read game_mode_intervention.list file.
50allow traced_probes game_mode_intervention_list_file:file r_file_perms;
51
52# Allow to log to kernel dmesg when starting / stopping ftrace.
53allow traced_probes kmsg_device:chr_file write;
54
55# Allow traced_probes to list the system partition.
56allow traced_probes system_file:dir { open read };
57
58# Allow traced_probes to list some of the data partition.
59allow traced_probes self:global_capability_class_set dac_read_search;
60
61allow traced_probes apk_data_file:dir { getattr open read search };
62allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
63allow traced_probes dalvikcache_data_file:dir { getattr open read search };
64userdebug_or_eng(`
65# search and getattr are granted via domain and coredomain, respectively.
66allow traced_probes system_data_file:dir { open read };
67')
68allow traced_probes system_app_data_file:dir { getattr open read search };
69allow traced_probes backup_data_file:dir { getattr open read search };
70allow traced_probes bootstat_data_file:dir { getattr open read search };
71allow traced_probes update_engine_data_file:dir { getattr open read search };
72allow traced_probes update_engine_log_data_file:dir { getattr open read search };
73allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
74
75# Allow traced_probes to run atrace. atrace pokes at system services to enable
76# their userspace TRACE macros.
77domain_auto_trans(traced_probes, atrace_exec, atrace);
78
79# Allow traced_probes to kill atrace on timeout.
80allow traced_probes atrace:process sigkill;
81
82# Allow traced_probes to access /proc files for system stats.
83# Note: trace data is NOT exposed to anything other than shell and privileged
84# system apps that have access to the traced consumer socket.
85allow traced_probes {
86  proc_meminfo
87  proc_vmstat
88  proc_stat
89  proc_buddyinfo
90  proc_pressure_cpu
91  proc_pressure_io
92  proc_pressure_mem
93}:file r_file_perms;
94
95# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
96allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
97allow traced_probes sysfs_devfreq_cur:file r_file_perms;
98
99# Allow access to read /proc/diskstats for I/O profiling.
100allow traced_probes proc_diskstats:file r_file_perms;
101
102# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
103hal_client_domain(traced_probes, hal_health)
104hal_client_domain(traced_probes, hal_power_stats)
105
106# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
107hal_client_domain(traced_probes, hal_atrace)
108
109# On debug builds allow to ingest system logs into the trace.
110userdebug_or_eng(`read_logd(traced_probes)')
111
112# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
113unix_socket_send(traced_probes, statsdw, statsd)
114binder_call(traced_probes, statsd)
115allow traced_probes stats_service:service_manager find;
116
117# Allow traced_probes to talk to suspend control service to read details of kernel wakelocks.
118allow traced_probes system_suspend_control_internal_service:service_manager find;
119allow traced_probes system_suspend:binder call;
120
121# Allow reading the system property representing number of desktop windows to
122# set the initial value for the counter in traces.
123get_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop)
124
125###
126### Neverallow rules
127###
128### traced_probes should NEVER do any of this
129
130# Disallow mapping executable memory (execstack and exec are already disallowed
131# globally in domain.te).
132neverallow traced_probes self:process execmem;
133
134# Block device access.
135neverallow traced_probes dev_type:blk_file { read write };
136
137# ptrace any other app
138neverallow traced_probes domain:process ptrace;
139
140# Disallows access to /data files.
141neverallow traced_probes {
142  data_file_type
143  -apex_module_data_file
144  -apex_art_data_file
145  -apk_data_file
146  -dalvikcache_data_file
147  -system_data_file
148  -system_data_root_file
149  -media_userdir_file
150  -system_userdir_file
151  -vendor_userdir_file
152  -system_app_data_file
153  -backup_data_file
154  -bootstat_data_file
155  -update_engine_data_file
156  -update_engine_log_data_file
157  -user_profile_root_file
158  -user_profile_data_file
159  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
160  # subsequent neverallow. Currently only getattr and search are allowed.
161  -vendor_data_file
162  with_native_coverage(`-method_trace_data_file')
163}:dir *;
164neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
165neverallow traced_probes {
166  data_file_type
167  -packages_list_file
168  with_native_coverage(`-method_trace_data_file')
169  -game_mode_intervention_list_file
170}:file *;
171
172# Only init is allowed to enter the traced_probes domain via exec()
173neverallow { domain -init } traced_probes:process transition;
174neverallow * traced_probes:process dyntransition;
175
176