xref: /aosp_15_r20/system/sepolicy/private/perfetto.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

# Perfetto command-line client. Can be used only from the domains that are
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.

type perfetto_exec, system_file_type, exec_type, file_type;
type perfetto_tmpfs, file_type;

tmpfs_domain(perfetto);

# Allow init to start a trace (for perfetto_boottrace).
init_daemon_domain(perfetto)

# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)

# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(perfetto)

# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;

# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;

# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;

# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)

# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;

# Allow perfetto to read the trace config from /system/etc/perfetto.
allow perfetto system_perfetto_config_file:dir r_dir_perms;
allow perfetto system_perfetto_config_file:file r_file_perms;

# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
allow perfetto { statsd mm_events shell su }:fd use;
allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };

# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };

# Allow adbd to reap perfetto.
allow perfetto adbd:process { sigchld };

# Allow perfetto to write to statsd.
unix_socket_send(perfetto, statsdw, statsd)

# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;

# Allow perfetto to ask incidentd to start a report.
# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)

# perfetto log formatter calls isatty() on its stderr. Denial when running
# under adbd is harmless. Avoid generating denial logs.
dontaudit perfetto adbd:unix_stream_socket getattr;
dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
# As above, when adbd is running in "su" domain (only the ioctl is denied in
# practice).
dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
# Similarly, CTS tests end up hitting a denial on shell pipes.
dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;

###
### Neverallow rules
###

# Disallow anyone else from being able to handle traces except selected system
# components.
neverallow {
  domain
  -init      # The creator of the folder.
  -perfetto  # The owner of the folder.
  -adbd      # For pulling traces.
  -shell     # For devepment purposes.
  -traced    # For write_into_file traces.
  -dumpstate # For attaching traces to bugreports.
  -incidentd # For receiving reported traces. TODO(lalitm): remove this.
  -priv_app  # For stating traces for bug-report UI.
  -system_server # For accessing traces started by profiling apis.
  -trace_redactor # For accessing traces to be redacted.
} perfetto_traces_data_file:dir *;
neverallow {
  domain
  -init      # The creator of the folder.
  -perfetto  # The owner of the folder.
  -adbd      # For pulling traces.
  -shell     # For devepment purposes.
  -traced    # For write_into_file traces.
  -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
  -trace_redactor # For redacting trace files.
} perfetto_traces_data_file:file ~{ getattr read };

### perfetto should NEVER do any of the following

# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;

# Block device access.
neverallow perfetto dev_type:blk_file { read write };

# ptrace any other process
neverallow perfetto domain:process ptrace;

# Disallows access to other /data files.
neverallow perfetto {
  data_file_type
  -system_data_file
  -system_data_root_file
  -media_userdir_file
  -system_userdir_file
  -vendor_userdir_file
  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
  # neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
  -perfetto_traces_data_file
  -perfetto_traces_bugreport_data_file
  -perfetto_traces_profiling_data_file
  -perfetto_configs_data_file
  with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto {
  system_data_file
  -perfetto_traces_data_file
  -perfetto_traces_profiling_data_file
}:dir ~{ getattr search };
neverallow perfetto {
  data_file_type
  -perfetto_traces_data_file
  -perfetto_traces_bugreport_data_file
  -perfetto_traces_profiling_data_file
  -perfetto_configs_data_file
  with_native_coverage(`-method_trace_data_file')
}:file ~write;