traced.te revision d25ccabd24339938b6b3bb93cb3cb96b4aa55958
1# Perfetto user-space tracing daemon (unprivileged) 2type traced, domain, coredomain; 3type traced_exec, exec_type, file_type; 4 5# Allow init to exec the daemon. 6init_daemon_domain(traced) 7 8# Allow traced to start with a lower scheduling class and change 9# class accordingly to what defined in the config provided by 10# the privileged process that controls it. 11allow traced self:global_capability_class_set { sys_nice }; 12 13### 14### Neverallow rules 15### 16### traced should NEVER do any of this 17 18# Disallow mapping executable memory (execstack and exec are already disallowed 19# globally in domain.te). 20neverallow traced self:process execmem; 21 22# Block device access. 23neverallow traced dev_type:blk_file { read write }; 24 25# ptrace any other process 26neverallow traced domain:process ptrace; 27 28# Disallows access to /data files, still allowing to write to file descriptors 29# passed through the socket. 30neverallow traced { 31 data_file_type 32 -system_data_file 33 # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a 34 # subsequent neverallow. Currently only getattr and search are allowed. 35 -vendor_data_file 36 -zoneinfo_data_file 37}:dir *; 38neverallow traced { system_data_file }:dir ~{ getattr search }; 39neverallow traced zoneinfo_data_file:dir ~r_dir_perms; 40neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; 41neverallow traced { data_file_type -zoneinfo_data_file }:file ~write; 42 43# Only init is allowed to enter the traced domain via exec() 44neverallow { domain -init } traced:process transition; 45neverallow * traced:process dyntransition; 46