traced_probes.te revision 49b79029cbb4bfb362b6b823e63bb467e8012230
149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Perfetto tracing probes, has tracefs access. 249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaletype traced_probes_exec, exec_type, file_type; 349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow init to exec the daemon. 549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleinit_daemon_domain(traced_probes) 649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Write trace data to the Perfetto traced damon. This requires connecting to its 849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# producer socket and obtaining a (per-process) tmpfs fd. 949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes traced:fd use; 1049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes traced_tmpfs:file { read write getattr map }; 1149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleunix_socket_connect(traced_probes, traced_producer, traced) 1249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 1349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traced_probes to access tracefs. 1449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes debugfs_tracing:dir r_dir_perms; 1549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes debugfs_tracing:file rw_file_perms; 1649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes debugfs_trace_marker:file getattr; 1749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 1849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# TODO(primiano): temporarily I/O tracing categories are still 1949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# userdebug only until we nail down the blacklist/whitelist. 2049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleuserdebug_or_eng(` 2149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes debugfs_tracing_debug:file rw_file_perms; 2249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale') 2349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traced_probes to start with a higher scheduling class and then downgrade 2549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# itself. 2649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes self:global_capability_class_set { sys_nice }; 2749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow procfs access 2949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaler_dir_file(traced_probes, domain) 3049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 3149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow to log to kernel dmesg when starting / stopping ftrace. 3249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes kmsg_device:chr_file write; 3349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 3449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traced_probes to list the system partition. 3549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes system_file:dir { open read }; 3649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 3749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traced_probes to list some of the data partition. 3849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes self:capability dac_read_search; 3949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 4049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes apk_data_file:dir { getattr open read search }; 4149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes dalvikcache_data_file:dir { getattr open read search }; 4249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleuserdebug_or_eng(` 4349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes system_data_file:dir { getattr open read search }; 4449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale') 4549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes system_app_data_file:dir { getattr open read search }; 4649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes backup_data_file:dir { getattr open read search }; 4749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes bootstat_data_file:dir { getattr open read search }; 4849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes update_engine_data_file:dir { getattr open read search }; 4949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes update_engine_log_data_file:dir { getattr open read search }; 5049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow traced_probes user_profile_data_file:dir { getattr open read search }; 5149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 5249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Allow traced_probes to run atrace. atrace pokes at system services to enable 5349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# their userspace TRACE macros. 5449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledomain_auto_trans(traced_probes, atrace_exec, atrace); 5549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 5649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# This is needed for: path="/system/bin/linker64" 5749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd 5849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleallow atrace traced_probes:fd use; 5949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 6149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### Neverallow rules 6249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 6349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### traced_probes should NEVER do any of this 6449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Disallow mapping executable memory (execstack and exec are already disallowed 6649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# globally in domain.te). 6749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes self:process execmem; 6849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Block device access. 7049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes dev_type:blk_file { read write }; 7149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 7249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# ptrace any other app 7349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes domain:process ptrace; 7449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 7549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Disallows access to /data files. 7649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes { 7749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale data_file_type 7849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -apk_data_file 7949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -dalvikcache_data_file 8049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -system_data_file 8149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -system_app_data_file 8249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -backup_data_file 8349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -bootstat_data_file 8449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -update_engine_data_file 8549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -update_engine_log_data_file 8649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -user_profile_data_file 8749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a 8849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale # subsequent neverallow. Currently only getattr and search are allowed. 8949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -vendor_data_file 9049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -zoneinfo_data_file 9149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:dir *; 9249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; 9349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; 9449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; 9549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow traced_probes { data_file_type -zoneinfo_data_file }:file *; 9649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 9749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Only init is allowed to enter the traced_probes domain via exec() 9849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { domain -init } traced_probes:process transition; 9949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow * traced_probes:process dyntransition; 100