android_system_sepolicy/private/traced.te

# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain;
type traced_exec, exec_type, file_type;

# Allow init to exec the daemon.
init_daemon_domain(traced)

# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };

###
### Neverallow rules
###
### traced should NEVER do any of this

# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;

# Block device access.
neverallow traced dev_type:blk_file { read write };

# ptrace any other process
neverallow traced domain:process ptrace;

# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced {
  data_file_type
  -system_data_file
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
  -zoneinfo_data_file
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;

# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-20 18:51:15 -08:00			`# Perfetto user-space tracing daemon (unprivileged)`
			`type traced, domain, coredomain;`
			`type traced_exec, exec_type, file_type;`

			`# Allow init to exec the daemon.`
			`init_daemon_domain(traced)`

			`# Allow traced to start with a lower scheduling class and change`
			`# class accordingly to what defined in the config provided by`
			`# the privileged process that controls it.`
			`allow traced self:global_capability_class_set { sys_nice };`

			`###`
			`### Neverallow rules`
			`###`
			`### traced should NEVER do any of this`

			`# Disallow mapping executable memory (execstack and exec are already disallowed`
			`# globally in domain.te).`
			`neverallow traced self:process execmem;`

			`# Block device access.`
			`neverallow traced dev_type:blk_file { read write };`

			`# ptrace any other process`
			`neverallow traced domain:process ptrace;`

			`# Disallows access to /data files, still allowing to write to file descriptors`
			`# passed through the socket.`
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34 2018-02-07 16:29:06 -08:00			`neverallow traced {`
			`data_file_type`
			`-system_data_file`
			`# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a`
			`# subsequent neverallow. Currently only getattr and search are allowed.`
			`-vendor_data_file`
			`-zoneinfo_data_file`
			`}:dir *;`
			`neverallow traced { system_data_file }:dir ~{ getattr search };`
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-20 18:51:15 -08:00			`neverallow traced zoneinfo_data_file:dir ~r_dir_perms;`
			`neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;`
			`neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;`

			`# Only init is allowed to enter the traced domain via exec()`
			`neverallow { domain -init } traced:process transition;`
			`neverallow * traced:process dyntransition;`