1# Perfetto user-space tracing daemon (unprivileged) 2type traced, domain, coredomain, mlstrustedsubject; 3type traced_exec, exec_type, file_type; 4 5# Allow init to exec the daemon. 6init_daemon_domain(traced) 7 8# Allow apps in other MLS contexts (for multi-user) to access 9# share memory buffers created by traced. 10typeattribute traced_tmpfs mlstrustedobject; 11 12# Allow traced to start with a lower scheduling class and change 13# class accordingly to what defined in the config provided by 14# the privileged process that controls it. 15allow traced self:global_capability_class_set { sys_nice }; 16 17# Allow to pass a file descriptor for the output trace from "perfetto" (the 18# cmdline client) and other shell binaries to traced and let traced write 19# directly into that (rather than returning the trace contents over the socket). 20allow traced perfetto:fd use; 21allow traced shell:fd use; 22allow traced perfetto_traces_data_file:file { read write }; 23 24### 25### Neverallow rules 26### 27### traced should NEVER do any of this 28 29# Disallow mapping executable memory (execstack and exec are already disallowed 30# globally in domain.te). 31neverallow traced self:process execmem; 32 33# Block device access. 34neverallow traced dev_type:blk_file { read write }; 35 36# ptrace any other process 37neverallow traced domain:process ptrace; 38 39# Disallows access to /data files, still allowing to write to file descriptors 40# passed through the socket. 41neverallow traced { 42 data_file_type 43 -system_data_file 44 # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a 45 # subsequent neverallow. Currently only getattr and search are allowed. 46 -vendor_data_file 47 -zoneinfo_data_file 48}:dir *; 49neverallow traced { system_data_file }:dir ~{ getattr search }; 50neverallow traced zoneinfo_data_file:dir ~r_dir_perms; 51neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *; 52neverallow traced { 53 data_file_type 54 -zoneinfo_data_file 55 -perfetto_traces_data_file 56}:file ~write; 57 58# Only init is allowed to enter the traced domain via exec() 59neverallow { domain -init } traced:process transition; 60neverallow * traced:process dyntransition; 61