private/perfetto.te - platform/system/sepolicy - Git at Google

 # Perfetto command-line client. Can be used only from the domains that are
 # explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
 # This command line client accesses the privileged socket of the traced
 # daemon.

 type perfetto_exec, system_file_type, exec_type, file_type;
 type perfetto_tmpfs, file_type;

 tmpfs_domain(perfetto);

 # Allow init to start a trace (for perfetto_boottrace).
 init_daemon_domain(perfetto)

 # Allow to access traced's privileged consumer socket.
 unix_socket_connect(perfetto, traced_consumer, traced)

 # Connect to the Perfetto traced daemon as a producer. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(perfetto)

 # Allow to write and unlink traces into /data/misc/perfetto-traces.
 allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
 allow perfetto perfetto_traces_data_file:file create_file_perms;

 # Allow perfetto to access the proxy service for reporting traces.
 allow perfetto tracingproxy_service:service_manager find;
 binder_use(perfetto)
 binder_call(perfetto, system_server)

 # Allow perfetto to read the trace config from /data/misc/perfetto-configs.
 # shell and adb can write files into that directory.
 allow perfetto perfetto_configs_data_file:dir r_dir_perms;
 allow perfetto perfetto_configs_data_file:file r_file_perms;

 # Allow perfetto to read the trace config from statsd, mm_events and shell
 # (both root and non-root) on stdin and also to write the resulting trace to
 # stdout.
 allow perfetto { statsd mm_events shell su }:fd use;
 allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };

 # Allow to communicate use, read and write over the adb connection.
 allow perfetto adbd:fd use;
 allow perfetto adbd:unix_stream_socket { read write };

 # Allow adbd to reap perfetto.
 allow perfetto adbd:process { sigchld };

 # Allow perfetto to write to statsd.
 unix_socket_send(perfetto, statsdw, statsd)

 # Allow to access /dev/pts when launched in an adb shell.
 allow perfetto devpts:chr_file rw_file_perms;

 # Allow perfetto to ask incidentd to start a report.
 # TODO(lalitm): remove all incidentd rules when proxy service is stable.
 allow perfetto incident_service:service_manager find;
 binder_call(perfetto, incidentd)

 # perfetto log formatter calls isatty() on its stderr. Denial when running
 # under adbd is harmless. Avoid generating denial logs.
 dontaudit perfetto adbd:unix_stream_socket getattr;
 dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
 # As above, when adbd is running in "su" domain (only the ioctl is denied in
 # practice).
 dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
 # Similarly, CTS tests end up hitting a denial on shell pipes.
 dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;

 ###
 ### Neverallow rules
 ###

 # Disallow anyone else from being able to handle traces except selected system
 # components.
 neverallow {
   domain
   -init      # The creator of the folder.
   -perfetto  # The owner of the folder.
   -adbd      # For pulling traces.
   -shell     # For devepment purposes.
   -traced    # For write_into_file traces.
   -dumpstate # For attaching traces to bugreports.
   -incidentd # For receiving reported traces. TODO(lalitm): remove this.
   -priv_app  # For stating traces for bug-report UI.
 } perfetto_traces_data_file:dir *;
 neverallow {
   domain
   -init      # The creator of the folder.
   -perfetto  # The owner of the folder.
   -adbd      # For pulling traces.
   -shell     # For devepment purposes.
   -traced    # For write_into_file traces.
   -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
 } perfetto_traces_data_file:file ~{ getattr read };

 ### perfetto should NEVER do any of the following

 # Disallow mapping executable memory (execstack and exec are already disallowed
 # globally in domain.te).
 neverallow perfetto self:process execmem;

 # Block device access.
 neverallow perfetto dev_type:blk_file { read write };

 # ptrace any other process
 neverallow perfetto domain:process ptrace;

 # Disallows access to other /data files.
 neverallow perfetto {
   data_file_type
   -system_data_file
   -system_data_root_file
   # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
   # neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
   -zoneinfo_data_file
   -perfetto_traces_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
 neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
 neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
 neverallow perfetto {
   data_file_type
   -zoneinfo_data_file
   -perfetto_traces_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:file ~write;
	# Perfetto command-line client. Can be used only from the domains that are
	# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
	# This command line client accesses the privileged socket of the traced
	# daemon.

	type perfetto_exec, system_file_type, exec_type, file_type;
	type perfetto_tmpfs, file_type;

	tmpfs_domain(perfetto);

	# Allow init to start a trace (for perfetto_boottrace).
	init_daemon_domain(perfetto)

	# Allow to access traced's privileged consumer socket.
	unix_socket_connect(perfetto, traced_consumer, traced)

	# Connect to the Perfetto traced daemon as a producer. This requires
	# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
	perfetto_producer(perfetto)

	# Allow to write and unlink traces into /data/misc/perfetto-traces.
	allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
	allow perfetto perfetto_traces_data_file:file create_file_perms;

	# Allow perfetto to access the proxy service for reporting traces.
	allow perfetto tracingproxy_service:service_manager find;
	binder_use(perfetto)
	binder_call(perfetto, system_server)

	# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
	# shell and adb can write files into that directory.
	allow perfetto perfetto_configs_data_file:dir r_dir_perms;
	allow perfetto perfetto_configs_data_file:file r_file_perms;

	# Allow perfetto to read the trace config from statsd, mm_events and shell
	# (both root and non-root) on stdin and also to write the resulting trace to
	# stdout.
	allow perfetto { statsd mm_events shell su }:fd use;
	allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };

	# Allow to communicate use, read and write over the adb connection.
	allow perfetto adbd:fd use;
	allow perfetto adbd:unix_stream_socket { read write };

	# Allow adbd to reap perfetto.
	allow perfetto adbd:process { sigchld };

	# Allow perfetto to write to statsd.
	unix_socket_send(perfetto, statsdw, statsd)

	# Allow to access /dev/pts when launched in an adb shell.
	allow perfetto devpts:chr_file rw_file_perms;

	# Allow perfetto to ask incidentd to start a report.
	# TODO(lalitm): remove all incidentd rules when proxy service is stable.
	allow perfetto incident_service:service_manager find;
	binder_call(perfetto, incidentd)

	# perfetto log formatter calls isatty() on its stderr. Denial when running
	# under adbd is harmless. Avoid generating denial logs.
	dontaudit perfetto adbd:unix_stream_socket getattr;
	dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
	# As above, when adbd is running in "su" domain (only the ioctl is denied in
	# practice).
	dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
	# Similarly, CTS tests end up hitting a denial on shell pipes.
	dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;

	###
	### Neverallow rules
	###

	# Disallow anyone else from being able to handle traces except selected system
	# components.
	neverallow {
	domain
	-init # The creator of the folder.
	-perfetto # The owner of the folder.
	-adbd # For pulling traces.
	-shell # For devepment purposes.
	-traced # For write_into_file traces.
	-dumpstate # For attaching traces to bugreports.
	-incidentd # For receiving reported traces. TODO(lalitm): remove this.
	-priv_app # For stating traces for bug-report UI.
	} perfetto_traces_data_file:dir *;
	neverallow {
	domain
	-init # The creator of the folder.
	-perfetto # The owner of the folder.
	-adbd # For pulling traces.
	-shell # For devepment purposes.
	-traced # For write_into_file traces.
	-incidentd # For receiving reported traces. TODO(lalitm): remove this.
	} perfetto_traces_data_file:file ~{ getattr read };

	### perfetto should NEVER do any of the following

	# Disallow mapping executable memory (execstack and exec are already disallowed
	# globally in domain.te).
	neverallow perfetto self:process execmem;

	# Block device access.
	neverallow perfetto dev_type:blk_file { read write };

	# ptrace any other process
	neverallow perfetto domain:process ptrace;

	# Disallows access to other /data files.
	neverallow perfetto {
	data_file_type
	-system_data_file
	-system_data_root_file
	# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
	# neverallow. Currently only getattr and search are allowed.
	-vendor_data_file
	-zoneinfo_data_file
	-perfetto_traces_data_file
	-perfetto_configs_data_file
	with_native_coverage(`-method_trace_data_file')
	}:dir *;
	neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
	neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
	neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
	neverallow perfetto {
	data_file_type
	-zoneinfo_data_file
	-perfetto_traces_data_file
	-perfetto_configs_data_file
	with_native_coverage(`-method_trace_data_file')
	}:file ~write;