tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/perfetto.te

153 lines
5.7 KiB
Text
Raw Normal View History

SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Perfetto command-line client. Can be used only from the domains that are
Update language to comply with Android's inclusive language guidance See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 20:28:11 +02:00
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# This command line client accesses the privileged socket of the traced
# daemon.
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
type perfetto_exec, system_file_type, exec_type, file_type;
Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit e16fb9109c678f47aa7698605477d9a6baf398fb)
2019-01-24 00:07:40 +01:00
type perfetto_tmpfs, file_type;
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
tmpfs_domain(perfetto);
Allow init to run perfetto Bug: 201387964 Change-Id: I20bb6cd32b9b7d6e0be1ca1fef2bff6f9165bb04
2021-09-30 19:14:40 +02:00
# Allow init to start a trace (for perfetto_boottrace).
init_daemon_domain(perfetto)
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
Add producer socket to the selinux perfetto domain. This change allows the perfetto cmdline client to access the (unprivileged) producer socket of traced, with the intent of triggering finalization of already running traces (see b/130135730). Matching change: aosp/932138 Note that: - perfetto cmdline can already access the consumer socket (to start tracing sessions). - The producer socket is already exposed to most domains, including unprivileged apps. Bug: 130135730 Bug: 128966650 Change-Id: Id9106279584798e6689102085fa46a0b7ecb1ba7
2019-04-04 20:19:40 +02:00
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(perfetto)
Add producer socket to the selinux perfetto domain. This change allows the perfetto cmdline client to access the (unprivileged) producer socket of traced, with the intent of triggering finalization of already running traces (see b/130135730). Matching change: aosp/932138 Note that: - perfetto cmdline can already access the consumer socket (to start tracing sessions). - The producer socket is already exposed to most domains, including unprivileged apps. Bug: 130135730 Bug: 128966650 Change-Id: Id9106279584798e6689102085fa46a0b7ecb1ba7
2019-04-04 20:19:40 +02:00
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
Allow perfetto to write into perfetto_traces_bugreport_data_file We are changing the --save-for-bugreport feature and moving the file opening/write from the traced service to the perfetto cmdline client. This is as part of a bigger refactor to simplify the API surface in view of non-destructive snapshots of trace buffers. Add matching sepolicies to perfetto.te Bug: 260112703 Test: atest perfetto_integrationtests --test-filter '*PerfettoCmdlineTest*' Change-Id: Ic1dd6b1bf3183f6b7fb551859e35cae950676ffb
2023-03-28 13:28:34 +02:00
# Allow to write and unlink trace into /data/misc/perfetto-traces/bugreport*
allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-15 21:16:46 +01:00
# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
# Allow perfetto to access the proxy service for reporting traces.
allow perfetto tracingproxy_service:service_manager find;
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
binder_use(perfetto)
binder_call(perfetto, system_server)
Create directory for shell<>perfetto interaction Users are unable to pass config files directly to perfetto via `perfetto -c /path/to/config` and have to resort to awkward quirks like `cat config | perfetto -c -'. This is because /system/bin/perfetto runs in its own SELinux domain for reasons explained in the bug. This causes problem to test infrastructures authors. Instead of allowing the use of /data/local/tmp which is too ill-scoped we create a dedicated folder and allow only shell and perfetto to operate on it. Bug: 170404111 Test: manual, see aosp/1459023 Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 22:13:09 +02:00
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;
Add perfetto persistent tracing configuration file Bug: 325622427 Change-Id: Ia77a029dfddfb3108bb6fdd2d3c6d5b4d9909f7b
2024-02-16 18:51:49 +01:00
# Allow perfetto to read the trace config from /system/etc/perfetto.
allow perfetto system_perfetto_config_file:dir r_dir_perms;
allow perfetto system_perfetto_config_file:file r_file_perms;
Sepolicy for mm_events Allow mm_events to periodically arm the mm_events perfetto trace config if mm_events is enabled. Bug: 183037386 Test: boot; setprop persist.mm_events.enabled true; No avc denials Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
2021-03-16 19:30:36 +01:00
# Allow perfetto to read the trace config from statsd, mm_events and shell
Allow adb root to send config to perfetto The perfetto binary (the frontend to traced) reads an input config from stdin. This CL adds allows perfetto to read the config from adb shell when the user is rooted Sample denials: avc: denied { read } for comm="perfetto" path="pipe:[92340]" dev="pipefs" ino=92340 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=0 avc: denied { read } for comm="perfetto" path="pipe:[92491]" dev="pipefs" ino=92491 scontext=u:r:perfetto:s0 tcontext=u:r:su:s0 tclass=fifo_file permissive=0 Test: adb root adb shell echo 'duration_ms: 1000;' > /sdcard/config cat /sdcard/config | perfetto --txt -c - -d Change-Id: I12042dfa9a2c262cec907f0231ce2184f46d1be8
2018-11-16 16:52:55 +01:00
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
Sepolicy for mm_events Allow mm_events to periodically arm the mm_events perfetto trace config if mm_events is enabled. Bug: 183037386 Test: boot; setprop persist.mm_events.enabled true; No avc denials Change-Id: Ia9760001e7fb591f18e3e816a63281167a658c74
2021-03-16 19:30:36 +01:00
allow perfetto { statsd mm_events shell su }:fd use;
Add rules for Perfetto to be used from system_server This includes rules for starting Perfetto as well as rules for communicating over stdio between Perfetto and system_server. Bug: 293957254 Test: Presubmit & tested in conjunction with internal change Change-Id: I7e4c044a6a2afb48c33d65cc421e797d77aacc12
2024-02-12 18:15:49 +01:00
allow perfetto { statsd mm_events shell su system_server }:fifo_file { getattr read write ioctl };
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
Allow Perfetto to log to statsd Denial: 10-31 21:17:11.150 8148 8148 W perfetto: type=1400 audit(0.0:135): avc: denied { write } for name="statsdw" dev="tmpfs" ino=33205 scontext=u:r:perfetto:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0 Bug: b/139351286 Test: adb shell perfetto -c :test --dropbox perfetto, watch logcat for denials Change-Id: I401f1625212f85831ce54116271752578db29578
2019-11-01 13:53:18 +01:00
# Allow adbd to reap perfetto.
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
allow perfetto adbd:process { sigchld };
Allow Perfetto to log to statsd Denial: 10-31 21:17:11.150 8148 8148 W perfetto: type=1400 audit(0.0:135): avc: denied { write } for name="statsdw" dev="tmpfs" ino=33205 scontext=u:r:perfetto:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0 Bug: b/139351286 Test: adb shell perfetto -c :test --dropbox perfetto, watch logcat for denials Change-Id: I401f1625212f85831ce54116271752578db29578
2019-11-01 13:53:18 +01:00
# Allow perfetto to write to statsd.
unix_socket_send(perfetto, statsdw, statsd)
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
userdebug: support perfetto traces as a section in incident reports This set of patches adds a way for the perfetto command line client to save a trace to a hardcoded location, /data/misc/perfetto-traces/incident-trace, and call into incidentd to start a report, which will include said trace in a new section. This is not a long-term solution, and is structured to minimize changes to perfetto and incidentd. The latter is currently architected in a way where it can only pull pre-defined information out of the system, so we're resorting to persisting the intermediate results in a hardcoded location. This will introduce at most two more linked files at the same time. Bug: 130543265 Bug: 134706389 Tested: manually on blueline-userdebug Change-Id: I2aa27e25f0209b3a5cdf5d550d0312693932b808
2019-05-29 18:50:44 +02:00
# Allow perfetto to ask incidentd to start a report.
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
# TODO(lalitm): remove all incidentd rules when proxy service is stable.
Allow incidentd to attach perfetto traces on user. Bug: 151140716 Change-Id: I821d1a504e6ffcea3a52e2c76bf2290e7b382a48
2020-03-26 17:19:21 +01:00
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
userdebug: support perfetto traces as a section in incident reports This set of patches adds a way for the perfetto command line client to save a trace to a hardcoded location, /data/misc/perfetto-traces/incident-trace, and call into incidentd to start a report, which will include said trace in a new section. This is not a long-term solution, and is structured to minimize changes to perfetto and incidentd. The latter is currently architected in a way where it can only pull pre-defined information out of the system, so we're resorting to persisting the intermediate results in a hardcoded location. This will introduce at most two more linked files at the same time. Bug: 130543265 Bug: 134706389 Tested: manually on blueline-userdebug Change-Id: I2aa27e25f0209b3a5cdf5d550d0312693932b808
2019-05-29 18:50:44 +02:00
perfetto: minor quality of life tweaks Change 1: when running the "perfetto" binary via "adb shell perfetto...", ctrl-Cing the host process doesn't propagate the teardown to the on-device process (which normally should stop the tracing session immediately). Allow signals adbd->perfetto to resolve. Change 2: don't print audit logs for a harmless isatty() check on adb sockets when they're the stderr of a "perfetto" process. Example denials from the isatty() check (ioctl is TCGETS): avc: denied { getattr } for path="socket:[244990]" dev="sockfs" ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992 ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 Example denial from ctrl-c'ing "adb shell perfetto ...": avc: denied { signal } for comm=7368656C6C20737663203134343537 scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=0 Tested: patched onto an internal branch, then verified that denials are gone on a flashed crosshatch-userdebug. Change-Id: I1dbe00ea91e3c3377d6e5eab05ad99620e02b965
2020-03-24 22:39:41 +01:00
# perfetto log formatter calls isatty() on its stderr. Denial when running
# under adbd is harmless. Avoid generating denial logs.
dontaudit perfetto adbd:unix_stream_socket getattr;
dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
# As above, when adbd is running in "su" domain (only the ioctl is denied in
# practice).
dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
perfetto: don't audit isatty() check on shell pipes CTS runs are being polluted by denial logs from the best-effort isatty ( -> TCGETS ioctl) check done by the perfetto's log formatter. This patch suppresses the denial. I believe that what's actually being denied is the ioctl itself, NOT the TCGETS aspect of it (there is a domain-wide fifo_file TCGETS allowxperms rule in domain.te:303). But the "dontauditxerms" suppresses the denial anyway. Bug: 159988048 Merged-In: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1 Change-Id: Ieee1d7de8b023dd632d0e37afa3a2434cfd1a3a1 (cherry picked from commit 8519c6d316b12c30a453b43014ef31fb7f4d937f)
2020-06-22 20:35:14 +02:00
# Similarly, CTS tests end up hitting a denial on shell pipes.
dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
perfetto: minor quality of life tweaks Change 1: when running the "perfetto" binary via "adb shell perfetto...", ctrl-Cing the host process doesn't propagate the teardown to the on-device process (which normally should stop the tracing session immediately). Allow signals adbd->perfetto to resolve. Change 2: don't print audit logs for a harmless isatty() check on adb sockets when they're the stderr of a "perfetto" process. Example denials from the isatty() check (ioctl is TCGETS): avc: denied { getattr } for path="socket:[244990]" dev="sockfs" ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992 ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 Example denial from ctrl-c'ing "adb shell perfetto ...": avc: denied { signal } for comm=7368656C6C20737663203134343537 scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=0 Tested: patched onto an internal branch, then verified that denials are gone on a flashed crosshatch-userdebug. Change-Id: I1dbe00ea91e3c3377d6e5eab05ad99620e02b965
2020-03-24 22:39:41 +01:00
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
###
### Neverallow rules
###
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
# Disallow anyone else from being able to handle traces except selected system
# components.
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-dumpstate # For attaching traces to bugreports.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
-priv_app # For stating traces for bug-report UI.
Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-15 21:16:46 +01:00
-system_server # For accessing traces started by profiling apis.
Changes to allow trace redactor to run Updates to allow profiling module to run new trace_redactor binary. Allow the trace_redactor binary to read the input trace file and write the output file. Bug: 327423523 Test: build/flash and atest CtsProfilingModuleTests#testRequestSystemTraceSuccess Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
2024-03-28 18:50:53 +01:00
-trace_redactor # For accessing traces to be redacted.
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
} perfetto_traces_data_file:dir *;
neverallow {
domain
-init # The creator of the folder.
-perfetto # The owner of the folder.
-adbd # For pulling traces.
-shell # For devepment purposes.
-traced # For write_into_file traces.
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
Changes to allow trace redactor to run Updates to allow profiling module to run new trace_redactor binary. Allow the trace_redactor binary to read the input trace file and write the output file. Bug: 327423523 Test: build/flash and atest CtsProfilingModuleTests#testRequestSystemTraceSuccess Change-Id: Id6684d8a9891e9ed42fe115066e41a89a7e8a097
2024-03-28 18:50:53 +01:00
-trace_redactor # For redacting trace files.
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
} perfetto_traces_data_file:file ~{ getattr read };
### perfetto should NEVER do any of the following
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;
# Block device access.
neverallow perfetto dev_type:blk_file { read write };
# ptrace any other process
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
neverallow perfetto {
data_file_type
-system_data_file
Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-08-02 00:57:47 +02:00
-system_data_root_file
Restrict creating per-user encrypted directories Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-perfetto_traces_data_file
Allow perfetto to write into perfetto_traces_bugreport_data_file We are changing the --save-for-bugreport feature and moving the file opening/write from the traced service to the perfetto cmdline client. This is as part of a bigger refactor to simplify the API surface in view of non-destructive snapshots of trace buffers. Add matching sepolicies to perfetto.te Bug: 260112703 Test: atest perfetto_integrationtests --test-filter '*PerfettoCmdlineTest*' Change-Id: Ic1dd6b1bf3183f6b7fb551859e35cae950676ffb
2023-03-28 13:28:34 +02:00
-perfetto_traces_bugreport_data_file
Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-15 21:16:46 +01:00
-perfetto_traces_profiling_data_file
Create directory for shell<>perfetto interaction Users are unable to pass config files directly to perfetto via `perfetto -c /path/to/config` and have to resort to awkward quirks like `cat config | perfetto -c -'. This is because /system/bin/perfetto runs in its own SELinux domain for reasons explained in the bug. This causes problem to test infrastructures authors. Instead of allowing the use of /data/local/tmp which is too ill-scoped we create a dedicated folder and allow only shell and perfetto to operate on it. Bug: 170404111 Test: manual, see aosp/1459023 Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 22:13:09 +02:00
-perfetto_configs_data_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
}:dir *;
Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-15 21:16:46 +01:00
neverallow perfetto {
system_data_file
-perfetto_traces_data_file
-perfetto_traces_profiling_data_file
}:dir ~{ getattr search };
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
neverallow perfetto {
data_file_type
-perfetto_traces_data_file
Allow perfetto to write into perfetto_traces_bugreport_data_file We are changing the --save-for-bugreport feature and moving the file opening/write from the traced service to the perfetto cmdline client. This is as part of a bigger refactor to simplify the API surface in view of non-destructive snapshots of trace buffers. Add matching sepolicies to perfetto.te Bug: 260112703 Test: atest perfetto_integrationtests --test-filter '*PerfettoCmdlineTest*' Change-Id: Ic1dd6b1bf3183f6b7fb551859e35cae950676ffb
2023-03-28 13:28:34 +02:00
-perfetto_traces_bugreport_data_file
Add context that system server can access and perfetto can save traces to Give perfetto rw dir and create file permissions for new directory. Give system server control to read, write, search, unlink files from new directory. Test: locally ensure traces can be written by perfetto and accessed and deleted by system server Bug: 293957254 Change-Id: Id015429b48ffffb73e7a71addddd48a22e4740bf
2024-02-15 21:16:46 +01:00
-perfetto_traces_profiling_data_file
Create directory for shell<>perfetto interaction Users are unable to pass config files directly to perfetto via `perfetto -c /path/to/config` and have to resort to awkward quirks like `cat config | perfetto -c -'. This is because /system/bin/perfetto runs in its own SELinux domain for reasons explained in the bug. This causes problem to test infrastructures authors. Instead of allowing the use of /data/local/tmp which is too ill-scoped we create a dedicated folder and allow only shell and perfetto to operate on it. Bug: 170404111 Test: manual, see aosp/1459023 Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 22:13:09 +02:00
-perfetto_configs_data_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
}:file ~write;
Reference in a new issue Copy permalink