• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Perfetto user-space tracing daemon (unprivileged)
2
3# type traced is defined under /public (because iorapd rules
4# under public/ need to refer to it).
5type traced_exec, system_file_type, exec_type, file_type;
6
7# Allow init to exec the daemon.
8init_daemon_domain(traced)
9tmpfs_domain(traced)
10
11# Allow apps in other MLS contexts (for multi-user) to access
12# share memory buffers created by traced.
13typeattribute traced_tmpfs mlstrustedobject;
14
15# Allow traced to start with a lower scheduling class and change
16# class accordingly to what defined in the config provided by
17# the privileged process that controls it.
18allow traced self:global_capability_class_set { sys_nice };
19
20# Allow to pass a file descriptor for the output trace from "perfetto" (the
21# cmdline client) and other shell binaries to traced and let traced write
22# directly into that (rather than returning the trace contents over the socket).
23allow traced perfetto:fd use;
24allow traced shell:fd use;
25allow traced shell:fifo_file { read write };
26
27# Allow the service to create new files within /data/misc/perfetto-traces.
28allow traced perfetto_traces_data_file:file create_file_perms;
29allow traced perfetto_traces_data_file:dir rw_dir_perms;
30# ... and /data/misc/perfetto-traces/bugreport*
31allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
32allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
33
34# Allow traceur to pass open file descriptors to traced, so traced can directly
35# write into the output file without doing roundtrips over IPC.
36allow traced traceur_app:fd use;
37allow traced trace_data_file:file { read write };
38
39# Allow perfetto to access the proxy service for notifying Traceur.
40allow traced tracingproxy_service:service_manager find;
41binder_use(traced);
42binder_call(traced, system_server);
43
44# Allow iorapd to pass memfd descriptors to traced, so traced can directly
45# write into the shmem buffer file without doing roundtrips over IPC.
46allow traced iorapd:fd use;
47allow traced iorapd_tmpfs:file { read write };
48
49# Allow traced to use shared memory supplied by producers. Typically, traced
50# (i.e. the tracing service) creates the shared memory used for data transfer
51# from the producer. This rule allows an alternative scheme, where the producer
52# creates the shared memory, that is then adopted by traced (after validating
53# that it is appropriately sealed).
54# This list has to replicate the tmpfs domains of all applicable domains that
55# have perfetto_producer() macro applied to them.
56# perfetto_tmpfs excluded as it should never need to use the producer-supplied
57# shared memory scheme.
58allow traced  {
59  appdomain_tmpfs
60  heapprofd_tmpfs
61  surfaceflinger_tmpfs
62  traced_probes_tmpfs
63  userdebug_or_eng(`system_server_tmpfs')
64}:file { getattr map read write };
65
66# Allow traced to notify Traceur when a trace ends by setting the
67# sys.trace.trace_end_signal property.
68set_prop(traced, system_trace_prop)
69# Allow to lazily start producers.
70set_prop(traced, traced_lazy_prop)
71# Allow tracking the count of sessions intercepting Java OutOfMemoryError
72# If there are such tracing sessions and an OutOfMemoryError is thrown by ART,
73# the hprof plugin intercepts the error, lazily registers a data source to
74# traced and collects a heap dump.
75set_prop(traced, traced_oome_heap_session_count_prop)
76
77# Allow traced to talk to statsd for logging metrics.
78unix_socket_send(traced, statsdw, statsd)
79
80###
81### Neverallow rules
82###
83### traced should NEVER do any of this
84
85# Disallow mapping executable memory (execstack and exec are already disallowed
86# globally in domain.te).
87neverallow traced self:process execmem;
88
89# Block device access.
90neverallow traced dev_type:blk_file { read write };
91
92# ptrace any other process
93neverallow traced domain:process ptrace;
94
95# Disallows access to /data files, still allowing to write to file descriptors
96# passed through the socket.
97neverallow traced {
98  data_file_type
99  -perfetto_traces_data_file
100  -perfetto_traces_bugreport_data_file
101  -system_data_file
102  -system_data_root_file
103  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
104  # subsequent neverallow. Currently only getattr and search are allowed.
105  -vendor_data_file
106  -zoneinfo_data_file
107  with_native_coverage(`-method_trace_data_file')
108}:dir *;
109neverallow traced { system_data_file }:dir ~{ getattr search };
110neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
111neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
112neverallow traced {
113  data_file_type
114  -zoneinfo_data_file
115  -perfetto_traces_data_file
116  -perfetto_traces_bugreport_data_file
117  -trace_data_file
118  with_native_coverage(`-method_trace_data_file')
119}:file ~write;
120
121# Only init is allowed to enter the traced domain via exec()
122neverallow { domain -init } traced:process transition;
123neverallow * traced:process dyntransition;
124
125# Limit the processes that can access tracingproxy_service.
126neverallow {
127  domain
128  -traced
129  -dumpstate
130  -traceur_app
131  -shell
132  -system_server
133  -perfetto
134} tracingproxy_service:service_manager find;
135