1# Perfetto user-space tracing daemon (unprivileged)
2type traced, domain, coredomain, mlstrustedsubject;
3type traced_exec, exec_type, file_type;
4
5# Allow init to exec the daemon.
6init_daemon_domain(traced)
7
8# Allow apps in other MLS contexts (for multi-user) to access
9# share memory buffers created by traced.
10typeattribute traced_tmpfs mlstrustedobject;
11
12# Allow traced to start with a lower scheduling class and change
13# class accordingly to what defined in the config provided by
14# the privileged process that controls it.
15allow traced self:global_capability_class_set { sys_nice };
16
17# Allow to pass a file descriptor for the output trace from "perfetto" (the
18# cmdline client) and other shell binaries to traced and let traced write
19# directly into that (rather than returning the trace contents over the socket).
20allow traced perfetto:fd use;
21allow traced shell:fd use;
22allow traced perfetto_traces_data_file:file { read write };
23
24###
25### Neverallow rules
26###
27### traced should NEVER do any of this
28
29# Disallow mapping executable memory (execstack and exec are already disallowed
30# globally in domain.te).
31neverallow traced self:process execmem;
32
33# Block device access.
34neverallow traced dev_type:blk_file { read write };
35
36# ptrace any other process
37neverallow traced domain:process ptrace;
38
39# Disallows access to /data files, still allowing to write to file descriptors
40# passed through the socket.
41neverallow traced {
42  data_file_type
43  -system_data_file
44  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
45  # subsequent neverallow. Currently only getattr and search are allowed.
46  -vendor_data_file
47  -zoneinfo_data_file
48}:dir *;
49neverallow traced { system_data_file }:dir ~{ getattr search };
50neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
51neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
52neverallow traced {
53  data_file_type
54  -zoneinfo_data_file
55  -perfetto_traces_data_file
56}:file ~write;
57
58# Only init is allowed to enter the traced domain via exec()
59neverallow { domain -init } traced:process transition;
60neverallow * traced:process dyntransition;
61