1# Perfetto command-line client. Can be used only from the domains that are
2# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
3# This command line client accesses the privileged socket of the traced
4# daemon.
5
6type perfetto_exec, system_file_type, exec_type, file_type;
7type perfetto_tmpfs, file_type;
8
9tmpfs_domain(perfetto);
10
11# Allow init to start a trace (for perfetto_boottrace).
12init_daemon_domain(perfetto)
13
14# Allow to access traced's privileged consumer socket.
15unix_socket_connect(perfetto, traced_consumer, traced)
16
17# Connect to the Perfetto traced daemon as a producer. This requires
18# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
19perfetto_producer(perfetto)
20
21# Allow to write and unlink traces into /data/misc/perfetto-traces.
22allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
23allow perfetto perfetto_traces_data_file:file create_file_perms;
24
25# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
26allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
27allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
28
29# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
30allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
31allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
32
33# Allow perfetto to access the proxy service for reporting traces.
34allow perfetto tracingproxy_service:service_manager find;
35binder_use(perfetto)
36binder_call(perfetto, system_server)
37
38# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
39# shell and adb can write files into that directory.
40allow perfetto perfetto_configs_data_file:dir r_dir_perms;
41allow perfetto perfetto_configs_data_file:file r_file_perms;
42
43# Allow perfetto to read the trace config from /system/etc/perfetto.
44allow perfetto system_perfetto_config_file:dir r_dir_perms;
45allow perfetto system_perfetto_config_file:file r_file_perms;
46
47# Allow perfetto to read the trace config from statsd, mm_events and shell
48# (both root and non-root) on stdin and also to write the resulting trace to
49# stdout.
50allow perfetto { statsd mm_events shell su }:fd use;
51allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };
52
53# Allow to communicate use, read and write over the adb connection.
54allow perfetto adbd:fd use;
55allow perfetto adbd:unix_stream_socket { read write };
56
57# Allow adbd to reap perfetto.
58allow perfetto adbd:process { sigchld };
59
60# Allow perfetto to write to statsd.
61unix_socket_send(perfetto, statsdw, statsd)
62
63# Allow to access /dev/pts when launched in an adb shell.
64allow perfetto devpts:chr_file rw_file_perms;
65
66# Allow perfetto to ask incidentd to start a report.
67# TODO(lalitm): remove all incidentd rules when proxy service is stable.
68allow perfetto incident_service:service_manager find;
69binder_call(perfetto, incidentd)
70
71# perfetto log formatter calls isatty() on its stderr. Denial when running
72# under adbd is harmless. Avoid generating denial logs.
73dontaudit perfetto adbd:unix_stream_socket getattr;
74dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
75# As above, when adbd is running in "su" domain (only the ioctl is denied in
76# practice).
77dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
78# Similarly, CTS tests end up hitting a denial on shell pipes.
79dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
80
81###
82### Neverallow rules
83###
84
85# Disallow anyone else from being able to handle traces except selected system
86# components.
87neverallow {
88  domain
89  -init      # The creator of the folder.
90  -perfetto  # The owner of the folder.
91  -adbd      # For pulling traces.
92  -shell     # For devepment purposes.
93  -traced    # For write_into_file traces.
94  -dumpstate # For attaching traces to bugreports.
95  -incidentd # For receiving reported traces. TODO(lalitm): remove this.
96  -priv_app  # For stating traces for bug-report UI.
97  -system_server # For accessing traces started by profiling apis.
98  -trace_redactor # For accessing traces to be redacted.
99} perfetto_traces_data_file:dir *;
100neverallow {
101  domain
102  -init      # The creator of the folder.
103  -perfetto  # The owner of the folder.
104  -adbd      # For pulling traces.
105  -shell     # For devepment purposes.
106  -traced    # For write_into_file traces.
107  -incidentd      # For receiving reported traces. TODO(lalitm): remove this.
108  -trace_redactor # For redacting trace files.
109} perfetto_traces_data_file:file ~{ getattr read };
110
111### perfetto should NEVER do any of the following
112
113# Disallow mapping executable memory (execstack and exec are already disallowed
114# globally in domain.te).
115neverallow perfetto self:process execmem;
116
117# Block device access.
118neverallow perfetto dev_type:blk_file { read write };
119
120# ptrace any other process
121neverallow perfetto domain:process ptrace;
122
123# Disallows access to other /data files.
124neverallow perfetto {
125  data_file_type
126  -system_data_file
127  -system_data_root_file
128  -media_userdir_file
129  -system_userdir_file
130  -vendor_userdir_file
131  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
132  # neverallow. Currently only getattr and search are allowed.
133  -vendor_data_file
134  -perfetto_traces_data_file
135  -perfetto_traces_bugreport_data_file
136  -perfetto_traces_profiling_data_file
137  -perfetto_configs_data_file
138  with_native_coverage(`-method_trace_data_file')
139}:dir *;
140neverallow perfetto {
141  system_data_file
142  -perfetto_traces_data_file
143  -perfetto_traces_profiling_data_file
144}:dir ~{ getattr search };
145neverallow perfetto {
146  data_file_type
147  -perfetto_traces_data_file
148  -perfetto_traces_bugreport_data_file
149  -perfetto_traces_profiling_data_file
150  -perfetto_configs_data_file
151  with_native_coverage(`-method_trace_data_file')
152}:file ~write;
153