private/traced_probes.te - platform/system/sepolicy - Git at Google

 # Perfetto tracing probes, has tracefs access.
 type traced_probes, domain, coredomain;
 type traced_probes_exec, exec_type, file_type;

 # Allow init to exec the daemon.
 init_daemon_domain(traced_probes)

 # Write trace data to the Perfetto traced damon. This requires connecting to its
 # producer socket and obtaining a (per-process) tmpfs fd.
 allow traced_probes traced:fd use;
 allow traced_probes traced_tmpfs:file { read write getattr map };
 unix_socket_connect(traced_probes, traced_producer, traced)

 # Allow traced_probes to access tracefs.
 # TODO(primiano): For the moment this is userdebug/eng only until we get an
 # approval for user builds.
 userdebug_or_eng(`
 allow traced_probes debugfs_tracing:dir r_dir_perms;
 allow traced_probes debugfs_tracing:file rw_file_perms;
 allow traced_probes debugfs_tracing_debug:file rw_file_perms;
 allow traced_probes debugfs_trace_marker:file getattr;
 ')

 # Allow traced_probes to start with a higher scheduling class and then downgrade
 # itself.
 allow traced_probes self:global_capability_class_set { sys_nice };

 # Allow procfs access
 r_dir_file(traced_probes, domain)

 ###
 ### Neverallow rules
 ###
 ### traced_probes should NEVER do any of this

 # Disallow mapping executable memory (execstack and exec are already disallowed
 # globally in domain.te).
 neverallow traced_probes self:process execmem;

 # Block device access.
 neverallow traced_probes dev_type:blk_file { read write };

 # ptrace any other app
 neverallow traced_probes domain:process ptrace;

 # Disallows access to /data files.
 neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
 neverallow traced system_data_file:dir ~{ getattr search };
 neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
 neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced { data_file_type -zoneinfo_data_file }:file *;

 # Only init is allowed to enter the traced_probes domain via exec()
 neverallow { domain -init } traced_probes:process transition;
 neverallow * traced_probes:process dyntransition;
	# Perfetto tracing probes, has tracefs access.
	type traced_probes, domain, coredomain;
	type traced_probes_exec, exec_type, file_type;

	# Allow init to exec the daemon.
	init_daemon_domain(traced_probes)

	# Write trace data to the Perfetto traced damon. This requires connecting to its
	# producer socket and obtaining a (per-process) tmpfs fd.
	allow traced_probes traced:fd use;
	allow traced_probes traced_tmpfs:file { read write getattr map };
	unix_socket_connect(traced_probes, traced_producer, traced)

	# Allow traced_probes to access tracefs.
	# TODO(primiano): For the moment this is userdebug/eng only until we get an
	# approval for user builds.
	userdebug_or_eng(`
	allow traced_probes debugfs_tracing:dir r_dir_perms;
	allow traced_probes debugfs_tracing:file rw_file_perms;
	allow traced_probes debugfs_tracing_debug:file rw_file_perms;
	allow traced_probes debugfs_trace_marker:file getattr;
	')

	# Allow traced_probes to start with a higher scheduling class and then downgrade
	# itself.
	allow traced_probes self:global_capability_class_set { sys_nice };

	# Allow procfs access
	r_dir_file(traced_probes, domain)

	###
	### Neverallow rules
	###
	### traced_probes should NEVER do any of this

	# Disallow mapping executable memory (execstack and exec are already disallowed
	# globally in domain.te).
	neverallow traced_probes self:process execmem;

	# Block device access.
	neverallow traced_probes dev_type:blk_file { read write };

	# ptrace any other app
	neverallow traced_probes domain:process ptrace;

	# Disallows access to /data files.
	neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
	neverallow traced system_data_file:dir ~{ getattr search };
	neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
	neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
	neverallow traced { data_file_type -zoneinfo_data_file }:file *;

	# Only init is allowed to enter the traced_probes domain via exec()
	neverallow { domain -init } traced_probes:process transition;
	neverallow * traced_probes:process dyntransition;