1# Perfetto tracing probes, has tracefs access.
2type traced_probes_exec, system_file_type, exec_type, file_type;
3type traced_probes_tmpfs, file_type;
4
5# Allow init to exec the daemon.
6init_daemon_domain(traced_probes)
7tmpfs_domain(traced_probes)
8
9# Write trace data to the Perfetto traced damon. This requires connecting to its
10# producer socket and obtaining a (per-process) tmpfs fd.
11perfetto_producer(traced_probes)
12
13# Allow traced_probes to access tracefs.
14allow traced_probes debugfs_tracing:dir r_dir_perms;
15allow traced_probes debugfs_tracing:file rw_file_perms;
16allow traced_probes debugfs_trace_marker:file getattr;
17
18# TODO(primiano): temporarily I/O tracing categories are still
19# userdebug only until we nail down the denylist/allowlist.
20userdebug_or_eng(`
21allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
22allow traced_probes debugfs_tracing_debug:file rw_file_perms;
23')
24
25# Allow traced_probes to start with a higher scheduling class and then downgrade
26# itself.
27allow traced_probes self:global_capability_class_set { sys_nice };
28
29# Allow procfs access
30r_dir_file(traced_probes, domain)
31
32# Allow to read packages.list file.
33allow traced_probes packages_list_file:file r_file_perms;
34
35# Allow to log to kernel dmesg when starting / stopping ftrace.
36allow traced_probes kmsg_device:chr_file write;
37
38# Allow traced_probes to list the system partition.
39allow traced_probes system_file:dir { open read };
40
41# Allow traced_probes to list some of the data partition.
42allow traced_probes self:global_capability_class_set dac_read_search;
43
44allow traced_probes apk_data_file:dir { getattr open read search };
45allow traced_probes dalvikcache_data_file:dir { getattr open read search };
46userdebug_or_eng(`
47# search and getattr are granted via domain and coredomain, respectively.
48allow traced_probes system_data_file:dir { open read };
49')
50allow traced_probes system_app_data_file:dir { getattr open read search };
51allow traced_probes backup_data_file:dir { getattr open read search };
52allow traced_probes bootstat_data_file:dir { getattr open read search };
53allow traced_probes update_engine_data_file:dir { getattr open read search };
54allow traced_probes update_engine_log_data_file:dir { getattr open read search };
55allow traced_probes user_profile_data_file:dir { getattr open read search };
56
57# Allow traced_probes to run atrace. atrace pokes at system services to enable
58# their userspace TRACE macros.
59domain_auto_trans(traced_probes, atrace_exec, atrace);
60
61# Allow traced_probes to kill atrace on timeout.
62allow traced_probes atrace:process sigkill;
63
64# Allow traced_probes to access /proc files for system stats.
65# Note: trace data is NOT exposed to anything other than shell and privileged
66# system apps that have access to the traced consumer socket.
67allow traced_probes {
68  proc_meminfo
69  proc_vmstat
70  proc_stat
71}:file r_file_perms;
72
73# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
74hal_client_domain(traced_probes, hal_health)
75hal_client_domain(traced_probes, hal_power_stats)
76
77# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
78hal_client_domain(traced_probes, hal_atrace)
79
80# On debug builds allow to ingest system logs into the trace.
81userdebug_or_eng(`read_logd(traced_probes)')
82
83###
84### Neverallow rules
85###
86### traced_probes should NEVER do any of this
87
88# Disallow mapping executable memory (execstack and exec are already disallowed
89# globally in domain.te).
90neverallow traced_probes self:process execmem;
91
92# Block device access.
93neverallow traced_probes dev_type:blk_file { read write };
94
95# ptrace any other app
96neverallow traced_probes domain:process ptrace;
97
98# Disallows access to /data files.
99neverallow traced_probes {
100  data_file_type
101  -apk_data_file
102  -dalvikcache_data_file
103  -system_data_file
104  -system_data_root_file
105  -system_app_data_file
106  -backup_data_file
107  -bootstat_data_file
108  -update_engine_data_file
109  -update_engine_log_data_file
110  -user_profile_data_file
111  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
112  # subsequent neverallow. Currently only getattr and search are allowed.
113  -vendor_data_file
114  -zoneinfo_data_file
115  with_native_coverage(`-method_trace_data_file')
116}:dir *;
117neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
118neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
119neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
120neverallow traced_probes {
121  data_file_type
122  -zoneinfo_data_file
123  -packages_list_file
124  with_native_coverage(`-method_trace_data_file')
125}:file *;
126
127# Only init is allowed to enter the traced_probes domain via exec()
128neverallow { domain -init } traced_probes:process transition;
129neverallow * traced_probes:process dyntransition;
130