Ensure that only desired processes can access TracingServiceProxy This change adds a neverallow rule in traced.te to limit the processes that can find tracingproxy_service, the context for TracingServiceProxy. I wanted to avoid moving the tracingproxy_service definition to public, so there were a few services that are exempted from this neverallow rule. Bug: 191391382 Test: Manually verified that with this change, along with the other change in this topic, I see no errors when taking a bugreport while a Traceur trace is running and the expected trace is included in the generated bugreport. Change-Id: I28d0b1b08baac43a53fe5a1ff0f67b788d51dc74 Merged-In: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89 (cherry picked from commit 2d6fb3971b8b4e8fb81d582273fb5d6803e5d309)

commit: 7280d19d61426160b8aeb8cb1c18096ba48dc6e9 [log] [tgz]
author: Carmen Jackson <carmenjackson@google.com> Wed Jun 23 16:21:49 2021 -0700
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Jun 24 23:51:26 2021 +0000
tree: f778d42e0681bdd246d6dc8401806e0aa22e241f
parent: 5c2d7ca0c13c3c4d06bafef63bd4aae3a39ba0c2 [diff]
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te

@@ -27,15 +27,16 @@
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;

diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te

@@ -161,6 +161,7 @@
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service

diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te

@@ -90,6 +90,7 @@
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service

diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te

@@ -116,3 +116,6 @@
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;

diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te

@@ -27,15 +27,16 @@
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;

diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te

@@ -161,6 +161,7 @@
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service

diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -90,6 +90,7 @@
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service

diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te

@@ -116,3 +116,6 @@
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
commit	7280d19d61426160b8aeb8cb1c18096ba48dc6e9	[log] [tgz]
author	Carmen Jackson <carmenjackson@google.com>	Wed Jun 23 16:21:49 2021 -0700
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Thu Jun 24 23:51:26 2021 +0000
tree	f778d42e0681bdd246d6dc8401806e0aa22e241f
parent	5c2d7ca0c13c3c4d06bafef63bd4aae3a39ba0c2 [diff]