1*e4a36f41SAndroid Build Coastguard Worker# Perfetto tracing probes, has tracefs access. 2*e4a36f41SAndroid Build Coastguard Workertype traced_probes_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Workertype traced_probes_tmpfs, file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Allow init to exec the daemon. 6*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(traced_probes) 7*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(traced_probes) 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Write trace data to the Perfetto traced damon. This requires connecting to its 10*e4a36f41SAndroid Build Coastguard Worker# producer socket and obtaining a (per-process) tmpfs fd. 11*e4a36f41SAndroid Build Coastguard Workerperfetto_producer(traced_probes) 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to access tracefs. 14*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing:dir r_dir_perms; 15*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing:file rw_file_perms; 16*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_trace_marker:file getattr; 17*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing_printk_formats:file r_file_perms; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to access mm_events trace instance 20*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing_instances:dir search; 21*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_mm_events_tracing:dir search; 22*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_mm_events_tracing:file rw_file_perms; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# TODO(primiano): temporarily I/O tracing categories are still 25*e4a36f41SAndroid Build Coastguard Worker# userdebug only until we nail down the denylist/allowlist. 26*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 27*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing_debug:dir r_dir_perms; 28*e4a36f41SAndroid Build Coastguard Workerallow traced_probes debugfs_tracing_debug:file rw_file_perms; 29*e4a36f41SAndroid Build Coastguard Worker') 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to start with a higher scheduling class and then downgrade 32*e4a36f41SAndroid Build Coastguard Worker# itself. 33*e4a36f41SAndroid Build Coastguard Workerallow traced_probes self:global_capability_class_set { sys_nice }; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow procfs access 36*e4a36f41SAndroid Build Coastguard Workerr_dir_file(traced_probes, domain) 37*e4a36f41SAndroid Build Coastguard Worker 38*e4a36f41SAndroid Build Coastguard Worker# Allow to temporarily lift the kptr_restrict setting and build a symbolization 39*e4a36f41SAndroid Build Coastguard Worker# map reading /proc/kallsyms. 40*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)') 41*e4a36f41SAndroid Build Coastguard Workerallow traced_probes proc_kallsyms:file r_file_perms; 42*e4a36f41SAndroid Build Coastguard Worker 43*e4a36f41SAndroid Build Coastguard Worker# Allow to read packages.list file. 44*e4a36f41SAndroid Build Coastguard Workerallow traced_probes packages_list_file:file r_file_perms; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker# Allow to read game_mode_intervention.list file. 47*e4a36f41SAndroid Build Coastguard Workerallow traced_probes game_mode_intervention_list_file:file r_file_perms; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker# Allow to log to kernel dmesg when starting / stopping ftrace. 50*e4a36f41SAndroid Build Coastguard Workerallow traced_probes kmsg_device:chr_file write; 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to list the system partition. 53*e4a36f41SAndroid Build Coastguard Workerallow traced_probes system_file:dir { open read }; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to list some of the data partition. 56*e4a36f41SAndroid Build Coastguard Workerallow traced_probes self:global_capability_class_set dac_read_search; 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Workerallow traced_probes apk_data_file:dir { getattr open read search }; 59*e4a36f41SAndroid Build Coastguard Workerallow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search }; 60*e4a36f41SAndroid Build Coastguard Workerallow traced_probes dalvikcache_data_file:dir { getattr open read search }; 61*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 62*e4a36f41SAndroid Build Coastguard Worker# search and getattr are granted via domain and coredomain, respectively. 63*e4a36f41SAndroid Build Coastguard Workerallow traced_probes system_data_file:dir { open read }; 64*e4a36f41SAndroid Build Coastguard Worker') 65*e4a36f41SAndroid Build Coastguard Workerallow traced_probes system_app_data_file:dir { getattr open read search }; 66*e4a36f41SAndroid Build Coastguard Workerallow traced_probes backup_data_file:dir { getattr open read search }; 67*e4a36f41SAndroid Build Coastguard Workerallow traced_probes bootstat_data_file:dir { getattr open read search }; 68*e4a36f41SAndroid Build Coastguard Workerallow traced_probes update_engine_data_file:dir { getattr open read search }; 69*e4a36f41SAndroid Build Coastguard Workerallow traced_probes update_engine_log_data_file:dir { getattr open read search }; 70*e4a36f41SAndroid Build Coastguard Workerallow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search }; 71*e4a36f41SAndroid Build Coastguard Worker 72*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to run atrace. atrace pokes at system services to enable 73*e4a36f41SAndroid Build Coastguard Worker# their userspace TRACE macros. 74*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(traced_probes, atrace_exec, atrace); 75*e4a36f41SAndroid Build Coastguard Worker 76*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to kill atrace on timeout. 77*e4a36f41SAndroid Build Coastguard Workerallow traced_probes atrace:process sigkill; 78*e4a36f41SAndroid Build Coastguard Worker 79*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to access /proc files for system stats. 80*e4a36f41SAndroid Build Coastguard Worker# Note: trace data is NOT exposed to anything other than shell and privileged 81*e4a36f41SAndroid Build Coastguard Worker# system apps that have access to the traced consumer socket. 82*e4a36f41SAndroid Build Coastguard Workerallow traced_probes { 83*e4a36f41SAndroid Build Coastguard Worker proc_meminfo 84*e4a36f41SAndroid Build Coastguard Worker proc_vmstat 85*e4a36f41SAndroid Build Coastguard Worker proc_stat 86*e4a36f41SAndroid Build Coastguard Worker proc_buddyinfo 87*e4a36f41SAndroid Build Coastguard Worker proc_pressure_cpu 88*e4a36f41SAndroid Build Coastguard Worker proc_pressure_io 89*e4a36f41SAndroid Build Coastguard Worker proc_pressure_mem 90*e4a36f41SAndroid Build Coastguard Worker}:file r_file_perms; 91*e4a36f41SAndroid Build Coastguard Worker 92*e4a36f41SAndroid Build Coastguard Worker# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files 93*e4a36f41SAndroid Build Coastguard Workerallow traced_probes sysfs_devfreq_dir:dir r_dir_perms; 94*e4a36f41SAndroid Build Coastguard Workerallow traced_probes sysfs_devfreq_cur:file r_file_perms; 95*e4a36f41SAndroid Build Coastguard Worker 96*e4a36f41SAndroid Build Coastguard Worker# Allow access to read /proc/diskstats for I/O profiling. 97*e4a36f41SAndroid Build Coastguard Workerallow traced_probes proc_diskstats:file r_file_perms; 98*e4a36f41SAndroid Build Coastguard Worker 99*e4a36f41SAndroid Build Coastguard Worker# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters. 100*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(traced_probes, hal_health) 101*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(traced_probes, hal_power_stats) 102*e4a36f41SAndroid Build Coastguard Worker 103*e4a36f41SAndroid Build Coastguard Worker# Allow access to Atrace HAL for enabling vendor/device specific tracing categories. 104*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(traced_probes, hal_atrace) 105*e4a36f41SAndroid Build Coastguard Worker 106*e4a36f41SAndroid Build Coastguard Worker# On debug builds allow to ingest system logs into the trace. 107*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(`read_logd(traced_probes)') 108*e4a36f41SAndroid Build Coastguard Worker 109*e4a36f41SAndroid Build Coastguard Worker# Allow traced_probes to talk to statsd for logging metrics and recording atoms. 110*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(traced_probes, statsdw, statsd) 111*e4a36f41SAndroid Build Coastguard Workerbinder_call(traced_probes, statsd) 112*e4a36f41SAndroid Build Coastguard Workerallow traced_probes stats_service:service_manager find; 113*e4a36f41SAndroid Build Coastguard Worker 114*e4a36f41SAndroid Build Coastguard Worker# Allow reading the system property representing number of desktop windows to 115*e4a36f41SAndroid Build Coastguard Worker# set the initial value for the counter in traces. 116*e4a36f41SAndroid Build Coastguard Workerget_prop(traced_probes, debug_tracing_desktop_mode_visible_tasks_prop) 117*e4a36f41SAndroid Build Coastguard Worker 118*e4a36f41SAndroid Build Coastguard Worker### 119*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 120*e4a36f41SAndroid Build Coastguard Worker### 121*e4a36f41SAndroid Build Coastguard Worker### traced_probes should NEVER do any of this 122*e4a36f41SAndroid Build Coastguard Worker 123*e4a36f41SAndroid Build Coastguard Worker# Disallow mapping executable memory (execstack and exec are already disallowed 124*e4a36f41SAndroid Build Coastguard Worker# globally in domain.te). 125*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes self:process execmem; 126*e4a36f41SAndroid Build Coastguard Worker 127*e4a36f41SAndroid Build Coastguard Worker# Block device access. 128*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes dev_type:blk_file { read write }; 129*e4a36f41SAndroid Build Coastguard Worker 130*e4a36f41SAndroid Build Coastguard Worker# ptrace any other app 131*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes domain:process ptrace; 132*e4a36f41SAndroid Build Coastguard Worker 133*e4a36f41SAndroid Build Coastguard Worker# Disallows access to /data files. 134*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes { 135*e4a36f41SAndroid Build Coastguard Worker data_file_type 136*e4a36f41SAndroid Build Coastguard Worker -apex_module_data_file 137*e4a36f41SAndroid Build Coastguard Worker -apex_art_data_file 138*e4a36f41SAndroid Build Coastguard Worker -apk_data_file 139*e4a36f41SAndroid Build Coastguard Worker -dalvikcache_data_file 140*e4a36f41SAndroid Build Coastguard Worker -system_data_file 141*e4a36f41SAndroid Build Coastguard Worker -system_data_root_file 142*e4a36f41SAndroid Build Coastguard Worker -media_userdir_file 143*e4a36f41SAndroid Build Coastguard Worker -system_userdir_file 144*e4a36f41SAndroid Build Coastguard Worker -vendor_userdir_file 145*e4a36f41SAndroid Build Coastguard Worker -system_app_data_file 146*e4a36f41SAndroid Build Coastguard Worker -backup_data_file 147*e4a36f41SAndroid Build Coastguard Worker -bootstat_data_file 148*e4a36f41SAndroid Build Coastguard Worker -update_engine_data_file 149*e4a36f41SAndroid Build Coastguard Worker -update_engine_log_data_file 150*e4a36f41SAndroid Build Coastguard Worker -user_profile_root_file 151*e4a36f41SAndroid Build Coastguard Worker -user_profile_data_file 152*e4a36f41SAndroid Build Coastguard Worker # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a 153*e4a36f41SAndroid Build Coastguard Worker # subsequent neverallow. Currently only getattr and search are allowed. 154*e4a36f41SAndroid Build Coastguard Worker -vendor_data_file 155*e4a36f41SAndroid Build Coastguard Worker with_native_coverage(`-method_trace_data_file') 156*e4a36f41SAndroid Build Coastguard Worker}:dir *; 157*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; 158*e4a36f41SAndroid Build Coastguard Workerneverallow traced_probes { 159*e4a36f41SAndroid Build Coastguard Worker data_file_type 160*e4a36f41SAndroid Build Coastguard Worker -packages_list_file 161*e4a36f41SAndroid Build Coastguard Worker with_native_coverage(`-method_trace_data_file') 162*e4a36f41SAndroid Build Coastguard Worker -game_mode_intervention_list_file 163*e4a36f41SAndroid Build Coastguard Worker}:file *; 164*e4a36f41SAndroid Build Coastguard Worker 165*e4a36f41SAndroid Build Coastguard Worker# Only init is allowed to enter the traced_probes domain via exec() 166*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -init } traced_probes:process transition; 167*e4a36f41SAndroid Build Coastguard Workerneverallow * traced_probes:process dyntransition; 168*e4a36f41SAndroid Build Coastguard Worker 169