Ensure that only desired processes can access TracingServiceProxy
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.
I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.
Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running and the expected trace is included in the
generated bugreport.
Change-Id: I28d0b1b08baac43a53fe5a1ff0f67b788d51dc74
Merged-In: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
(cherry picked from commit 2d6fb3971b8b4e8fb81d582273fb5d6803e5d309)
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@
allow atrace {
service_manager_type
-apex_service
- -incident_service
- -iorapd_service
- -netd_service
-dnsresolver_service
- -stats_service
-dumpstate_service
+ -incident_service
-installd_service
- -vold_service
+ -iorapd_service
-lpdump_service
+ -netd_service
+ -stats_service
+ -tracingproxy_service
+ -vold_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -161,6 +161,7 @@
system_server_service
app_api_service
system_api_service
+ -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
+ -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;