1# Perfetto command-line client. Can be used only from the domains that are
2# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
3# This command line client accesses the privileged socket of the traced
4# daemon.
5
6type perfetto_exec, system_file_type, exec_type, file_type;
7type perfetto_tmpfs, file_type;
8
9tmpfs_domain(perfetto);
10
11# Allow to access traced's privileged consumer socket.
12unix_socket_connect(perfetto, traced_consumer, traced)
13
14# Connect to the Perfetto traced daemon as a producer. This requires
15# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
16perfetto_producer(perfetto)
17
18# Allow to write and unlink traces into /data/misc/perfetto-traces.
19allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
20allow perfetto perfetto_traces_data_file:file create_file_perms;
21
22# Allow to access binder to pass the traces to Dropbox.
23binder_use(perfetto)
24binder_call(perfetto, system_server)
25allow perfetto dropbox_service:service_manager find;
26
27# Allow perfetto to read the trace config from statsd and shell
28# (both root and non-root) on stdin and also to write the resulting trace to
29# stdout.
30allow perfetto { statsd shell su }:fd use;
31allow perfetto { statsd shell su }:fifo_file { getattr read write };
32
33# Allow to communicate use, read and write over the adb connection.
34allow perfetto adbd:fd use;
35allow perfetto adbd:unix_stream_socket { read write };
36
37# Allow adbd to reap perfetto.
38allow perfetto adbd:process { sigchld };
39
40# Allow perfetto to write to statsd.
41unix_socket_send(perfetto, statsdw, statsd)
42
43# Allow to access /dev/pts when launched in an adb shell.
44allow perfetto devpts:chr_file rw_file_perms;
45
46# Allow perfetto to ask incidentd to start a report.
47allow perfetto incident_service:service_manager find;
48binder_call(perfetto, incidentd)
49
50# perfetto log formatter calls isatty() on its stderr. Denial when running
51# under adbd is harmless. Avoid generating denial logs.
52dontaudit perfetto adbd:unix_stream_socket getattr;
53dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
54# As above, when adbd is running in "su" domain (only the ioctl is denied in
55# practice).
56dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
57# Similarly, CTS tests end up hitting a denial on shell pipes.
58dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
59
60###
61### Neverallow rules
62###
63### perfetto should NEVER do any of this
64
65# Disallow mapping executable memory (execstack and exec are already disallowed
66# globally in domain.te).
67neverallow perfetto self:process execmem;
68
69# Block device access.
70neverallow perfetto dev_type:blk_file { read write };
71
72# ptrace any other process
73neverallow perfetto domain:process ptrace;
74
75# Disallows access to other /data files.
76neverallow perfetto {
77  data_file_type
78  -system_data_file
79  -system_data_root_file
80  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
81  # neverallow. Currently only getattr and search are allowed.
82  -vendor_data_file
83  -zoneinfo_data_file
84  -perfetto_traces_data_file
85  with_native_coverage(`-method_trace_data_file')
86}:dir *;
87neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
88neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
89neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
90neverallow perfetto {
91  data_file_type
92  -zoneinfo_data_file
93  -perfetto_traces_data_file
94  with_native_coverage(`-method_trace_data_file')
95}:file ~write;
96