1# Perfetto command-line client. Can be used only from the domains that are 2# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto). 3# This command line client accesses the privileged socket of the traced 4# daemon. 5 6type perfetto_exec, system_file_type, exec_type, file_type; 7type perfetto_tmpfs, file_type; 8 9tmpfs_domain(perfetto); 10 11# Allow to access traced's privileged consumer socket. 12unix_socket_connect(perfetto, traced_consumer, traced) 13 14# Connect to the Perfetto traced daemon as a producer. This requires 15# connecting to its producer socket and obtaining a (per-process) tmpfs fd. 16perfetto_producer(perfetto) 17 18# Allow to write and unlink traces into /data/misc/perfetto-traces. 19allow perfetto perfetto_traces_data_file:dir rw_dir_perms; 20allow perfetto perfetto_traces_data_file:file create_file_perms; 21 22# Allow to access binder to pass the traces to Dropbox. 23binder_use(perfetto) 24binder_call(perfetto, system_server) 25allow perfetto dropbox_service:service_manager find; 26 27# Allow perfetto to read the trace config from statsd and shell 28# (both root and non-root) on stdin and also to write the resulting trace to 29# stdout. 30allow perfetto { statsd shell su }:fd use; 31allow perfetto { statsd shell su }:fifo_file { getattr read write }; 32 33# Allow to communicate use, read and write over the adb connection. 34allow perfetto adbd:fd use; 35allow perfetto adbd:unix_stream_socket { read write }; 36 37# Allow adbd to reap perfetto. 38allow perfetto adbd:process { sigchld }; 39 40# Allow perfetto to write to statsd. 41unix_socket_send(perfetto, statsdw, statsd) 42 43# Allow to access /dev/pts when launched in an adb shell. 44allow perfetto devpts:chr_file rw_file_perms; 45 46# Allow perfetto to ask incidentd to start a report. 47allow perfetto incident_service:service_manager find; 48binder_call(perfetto, incidentd) 49 50# perfetto log formatter calls isatty() on its stderr. Denial when running 51# under adbd is harmless. Avoid generating denial logs. 52dontaudit perfetto adbd:unix_stream_socket getattr; 53dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls; 54# As above, when adbd is running in "su" domain (only the ioctl is denied in 55# practice). 56dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls; 57# Similarly, CTS tests end up hitting a denial on shell pipes. 58dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls; 59 60### 61### Neverallow rules 62### 63### perfetto should NEVER do any of this 64 65# Disallow mapping executable memory (execstack and exec are already disallowed 66# globally in domain.te). 67neverallow perfetto self:process execmem; 68 69# Block device access. 70neverallow perfetto dev_type:blk_file { read write }; 71 72# ptrace any other process 73neverallow perfetto domain:process ptrace; 74 75# Disallows access to other /data files. 76neverallow perfetto { 77 data_file_type 78 -system_data_file 79 -system_data_root_file 80 # TODO(b/72998741) Remove exemption. Further restricted in a subsequent 81 # neverallow. Currently only getattr and search are allowed. 82 -vendor_data_file 83 -zoneinfo_data_file 84 -perfetto_traces_data_file 85 with_native_coverage(`-method_trace_data_file') 86}:dir *; 87neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; 88neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; 89neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; 90neverallow perfetto { 91 data_file_type 92 -zoneinfo_data_file 93 -perfetto_traces_data_file 94 with_native_coverage(`-method_trace_data_file') 95}:file ~write; 96