xref: /aosp_15_r20/system/sepolicy/prebuilts/api/33.0/private/perfetto.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# Perfetto command-line client. Can be used only from the domains that are
2# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
3# This command line client accesses the privileged socket of the traced
4# daemon.
5
6type perfetto_exec, system_file_type, exec_type, file_type;
7type perfetto_tmpfs, file_type;
8
9tmpfs_domain(perfetto);
10
11# Allow init to start a trace (for perfetto_boottrace).
12init_daemon_domain(perfetto)
13
14# Allow to access traced's privileged consumer socket.
15unix_socket_connect(perfetto, traced_consumer, traced)
16
17# Connect to the Perfetto traced daemon as a producer. This requires
18# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
19perfetto_producer(perfetto)
20
21# Allow to write and unlink traces into /data/misc/perfetto-traces.
22allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
23allow perfetto perfetto_traces_data_file:file create_file_perms;
24
25# Allow perfetto to access the proxy service for reporting traces.
26allow perfetto tracingproxy_service:service_manager find;
27binder_use(perfetto)
28binder_call(perfetto, system_server)
29
30# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
31# shell and adb can write files into that directory.
32allow perfetto perfetto_configs_data_file:dir r_dir_perms;
33allow perfetto perfetto_configs_data_file:file r_file_perms;
34
35# Allow perfetto to read the trace config from statsd, mm_events and shell
36# (both root and non-root) on stdin and also to write the resulting trace to
37# stdout.
38allow perfetto { statsd mm_events shell su }:fd use;
39allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
40
41# Allow to communicate use, read and write over the adb connection.
42allow perfetto adbd:fd use;
43allow perfetto adbd:unix_stream_socket { read write };
44
45# Allow adbd to reap perfetto.
46allow perfetto adbd:process { sigchld };
47
48# Allow perfetto to write to statsd.
49unix_socket_send(perfetto, statsdw, statsd)
50
51# Allow to access /dev/pts when launched in an adb shell.
52allow perfetto devpts:chr_file rw_file_perms;
53
54# Allow perfetto to ask incidentd to start a report.
55# TODO(lalitm): remove all incidentd rules when proxy service is stable.
56allow perfetto incident_service:service_manager find;
57binder_call(perfetto, incidentd)
58
59# perfetto log formatter calls isatty() on its stderr. Denial when running
60# under adbd is harmless. Avoid generating denial logs.
61dontaudit perfetto adbd:unix_stream_socket getattr;
62dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
63# As above, when adbd is running in "su" domain (only the ioctl is denied in
64# practice).
65dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
66# Similarly, CTS tests end up hitting a denial on shell pipes.
67dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
68
69###
70### Neverallow rules
71###
72
73# Disallow anyone else from being able to handle traces except selected system
74# components.
75neverallow {
76  domain
77  -init      # The creator of the folder.
78  -perfetto  # The owner of the folder.
79  -adbd      # For pulling traces.
80  -shell     # For devepment purposes.
81  -traced    # For write_into_file traces.
82  -dumpstate # For attaching traces to bugreports.
83  -incidentd # For receiving reported traces. TODO(lalitm): remove this.
84  -priv_app  # For stating traces for bug-report UI.
85} perfetto_traces_data_file:dir *;
86neverallow {
87  domain
88  -init      # The creator of the folder.
89  -perfetto  # The owner of the folder.
90  -adbd      # For pulling traces.
91  -shell     # For devepment purposes.
92  -traced    # For write_into_file traces.
93  -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
94} perfetto_traces_data_file:file ~{ getattr read };
95
96### perfetto should NEVER do any of the following
97
98# Disallow mapping executable memory (execstack and exec are already disallowed
99# globally in domain.te).
100neverallow perfetto self:process execmem;
101
102# Block device access.
103neverallow perfetto dev_type:blk_file { read write };
104
105# ptrace any other process
106neverallow perfetto domain:process ptrace;
107
108# Disallows access to other /data files.
109neverallow perfetto {
110  data_file_type
111  -system_data_file
112  -system_data_root_file
113  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
114  # neverallow. Currently only getattr and search are allowed.
115  -vendor_data_file
116  -zoneinfo_data_file
117  -perfetto_traces_data_file
118  -perfetto_configs_data_file
119  with_native_coverage(`-method_trace_data_file')
120}:dir *;
121neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
122neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
123neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
124neverallow perfetto {
125  data_file_type
126  -zoneinfo_data_file
127  -perfetto_traces_data_file
128  -perfetto_configs_data_file
129  with_native_coverage(`-method_trace_data_file')
130}:file ~write;
131