xref: /aosp_15_r20/system/sepolicy/private/statsd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1typeattribute statsd coredomain;
2
3init_daemon_domain(statsd)
4
5# Allow to exec the perfetto cmdline client and pass it the trace config on
6# stdint through a pipe. It allows statsd to  capture traces and hand them
7# to Android dropbox.
8allow statsd perfetto_exec:file rx_file_perms;
9domain_auto_trans(statsd, perfetto_exec, perfetto)
10
11# Grant statsd with permissions to register the services.
12allow statsd {
13  statscompanion_service
14}:service_manager find;
15
16# Allow incidentd to obtain the statsd incident section.
17allow statsd incidentd:fifo_file write;
18
19# Allow StatsCompanionService to pipe data to statsd.
20allow statsd system_server:fifo_file { read write getattr };
21
22# Allow any app to pipe data to statsd.
23# Access control to all statsd APIs inherit from system_api_service, so
24# appdomain permissions are granted to avoid listing each individual
25# service that can access system_api_service.
26allow statsd appdomain:fifo_file { read write getattr };
27
28# Allow statsd to retrieve SF statistics over binder
29binder_call(statsd, surfaceflinger);
30
31# Allow statsd to read its system properties
32get_prop(statsd, device_config_statsd_native_prop)
33get_prop(statsd, device_config_statsd_native_boot_prop)
34
35# Allow statsd to read misctl properties (for 16 KB)
36get_prop(statsd, misctrl_prop)
37
38# Allow statsd to write uprobestats configs.
39allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
40allow statsd uprobestats_configs_data_file:file create_file_perms;
41
42# Allow statsd to trigger uprobestats via property.
43set_prop(statsd, uprobestats_start_with_config_prop);
44
45# Allow statsd to use io_uring
46io_uring_use(statsd)
47
48# Allow statsd to start the uprobestats service.
49set_prop(statsd, ctl_uprobestats_prop)
50binder_use(statsd)
51
52# Allow statsd to scan through /proc/pid for all processes.
53r_dir_file(statsd, domain)
54
55# Allow executing files on system, such as running a shell or running:
56#   /system/bin/toolbox
57#   /system/bin/logcat
58#   /system/bin/dumpsys
59allow statsd devpts:chr_file { getattr ioctl read write };
60allow statsd shell_exec:file rx_file_perms;
61allow statsd system_file:file execute_no_trans;
62allow statsd toolbox_exec:file rx_file_perms;
63
64userdebug_or_eng(`
65  allow statsd su:fifo_file read;
66')
67
68# Create, read, and write into
69#   /data/misc/stats-active-metric
70#   /data/misc/stats-data
71#   /data/misc/stats-metadata
72#   /data/misc/stats-service
73#   /data/misc/train-info
74allow statsd stats_data_file:dir create_dir_perms;
75allow statsd stats_data_file:file create_file_perms;
76allow statsd stats_config_data_file:dir create_dir_perms;
77allow statsd stats_config_data_file:file create_file_perms;
78
79# Allow statsd to make binder calls to any binder service.
80binder_call(statsd, appdomain)
81binder_call(statsd, incidentd)
82binder_call(statsd, system_server)
83binder_call(statsd, traced_probes)
84
85# Allow statsd to interact with gpuservice
86allow statsd gpu_service:service_manager find;
87binder_call(statsd, gpuservice)
88
89# Allow statsd to interact with keystore to pull atoms
90allow statsd keystore_service:service_manager find;
91binder_call(statsd, keystore)
92
93# Allow statsd to interact with mediametrics
94allow statsd mediametrics_service:service_manager find;
95binder_call(statsd, mediametrics)
96
97# Allow statsd to interact with mediametrics
98allow statsd mediaserver_service:service_manager find;
99binder_call(statsd, mediaserver)
100
101# Allow logd access.
102read_logd(statsd)
103control_logd(statsd)
104
105# Grant statsd with permissions to register the services.
106allow statsd {
107  app_api_service
108  incident_service
109  system_api_service
110}:service_manager find;
111
112# Grant statsd to access health hal to access battery metrics.
113allow statsd hal_health_hwservice:hwservice_manager find;
114
115# Allow statsd to send dump info to dumpstate
116allow statsd dumpstate:fd use;
117allow statsd dumpstate:fifo_file { getattr write };
118
119# Allow access to with hardware layer and process stats.
120allow statsd proc_uid_cputime_showstat:file { getattr open read };
121hal_client_domain(statsd, hal_health)
122hal_client_domain(statsd, hal_power)
123hal_client_domain(statsd, hal_power_stats)
124hal_client_domain(statsd, hal_thermal)
125
126# Allow 'adb shell cmd' to upload configs and download output.
127allow statsd adbd:fd use;
128allow statsd adbd:unix_stream_socket { getattr read write };
129allow statsd shell:fifo_file { getattr read write };
130
131unix_socket_send(statsd, statsdw, statsd)
132
133###
134### neverallow rules
135###
136
137# Only statsd and the other root services in limited circumstances.
138# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
139# Other services are prohibitted from accessing the file.
140neverallow { domain -statsd -init -vold } stats_data_file:file *;
141neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
142
143
144# Limited access to the directory itself.
145neverallow { domain -statsd -init -vold } stats_data_file:dir *;
146neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
147