tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/traced_probes.te

165 lines
6 KiB
Text
Raw Normal View History

Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Perfetto tracing probes, has tracefs access.
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
type traced_probes_exec, system_file_type, exec_type, file_type;
perfetto: allow producers to supply shared memory This concerns the data transfer between an untrusted producer process, and the tracing service (traced daemon). They communicate over a combination of a unix socket and shared memory. Normally, the service creates the shared memory region, and hands it off to the producer process (see perfetto_producer() macro). This patch allows for an alternative scheme, where the producer process is allowed to create the shared memory region, which will then be adopted by the tracing service. The service already inherently doesn't trust the producer, so it'll validate that the shared memory is appropriately sealed before using it. The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But this mode has advantages (e.g. being able to write to the shared memory before connecting) for other producer domains as well. Bug: 148841422 Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 14:44:14 +01:00
type traced_probes_tmpfs, file_type;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
perfetto: allow producers to supply shared memory This concerns the data transfer between an untrusted producer process, and the tracing service (traced daemon). They communicate over a combination of a unix socket and shared memory. Normally, the service creates the shared memory region, and hands it off to the producer process (see perfetto_producer() macro). This patch allows for an alternative scheme, where the producer process is allowed to create the shared memory region, which will then be adopted by the tracing service. The service already inherently doesn't trust the producer, so it'll validate that the shared memory is appropriately sealed before using it. The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But this mode has advantages (e.g. being able to write to the shared memory before connecting) for other producer domains as well. Bug: 148841422 Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 14:44:14 +01:00
tmpfs_domain(traced_probes)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(traced_probes)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
New type for printk_formats, allow traced_probes. Test: ls -lZ /sys/kernel/tracing/printk_formats [...] u:object_r:debugfs_tracing_printk_formats:s0 [...] Test: setenforce 0; runcon u:r:system_server:s0 cat /sys/kernel/tracing/printk_formats logcat complains about /sys/kernel/tracing/printk_formats Test: setenforce 0; runcon u:r:traced_probes:s0 cat /sys/kernel/tracing/printk_formats logcat does not complain about /sys/kernel/tracing/printk_formats (need to setenforce 0, because otherwise the exec of ls is denied). Bug: 70292203 Change-Id: I15ddef686f979c59daaba5263fa99aca3cd139e5
2020-11-05 13:54:52 +01:00
allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
Allow perfetto traced_probes to access tracefs on user Allows the traced_probes daemon to access the core ftrace functionalities on user builds. Specifically this involves: - Whitelisting the per_cpu/ subdirectory to access: 1) trace_pipe_raw file to allow perfetto to read the raw ftrace buffer (rather than the text-based /trace endpoint) 2) cpuX/stats and cpuX/buffer_size_kb that allow to tune the buffer size per-cpu pipe and to get basic statistics about the ftrace buffer (#events, overruns) - Whitelistiing the full event directories rather than the /enable files. This gives also access to the /format files for the events that are already enabled on user builds. /format files simply describe the memory layout of the binary logs. Example: https://ghostbin.com/paste/f8m4k This still does NOT allow enabling the events labeled as "_debug" (mostly events that return activity on inodes). We'll deal with that separately as soon as we get a POC of inode resolution and a sensible blacklist/whitelist model. Bug: 70942310 Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-09 12:15:22 +01:00
Sepolicy for mm events trace instance Allow traced_probes read write access to configure mm_events trace instance and poll trace_pipe_raw Bug: 155928119 Test: No denials in logcat Change-Id: Ib65ab2e7be8daa6b8c412ffea909072583db7002
2021-01-15 17:12:56 +01:00
# Allow traced_probes to access mm_events trace instance
allow traced_probes debugfs_tracing_instances:dir search;
allow traced_probes debugfs_mm_events_tracing:dir search;
allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
Allow perfetto traced_probes to access tracefs on user Allows the traced_probes daemon to access the core ftrace functionalities on user builds. Specifically this involves: - Whitelisting the per_cpu/ subdirectory to access: 1) trace_pipe_raw file to allow perfetto to read the raw ftrace buffer (rather than the text-based /trace endpoint) 2) cpuX/stats and cpuX/buffer_size_kb that allow to tune the buffer size per-cpu pipe and to get basic statistics about the ftrace buffer (#events, overruns) - Whitelistiing the full event directories rather than the /enable files. This gives also access to the /format files for the events that are already enabled on user builds. /format files simply describe the memory layout of the binary logs. Example: https://ghostbin.com/paste/f8m4k This still does NOT allow enabling the events labeled as "_debug" (mostly events that return activity on inodes). We'll deal with that separately as soon as we get a POC of inode resolution and a sensible blacklist/whitelist model. Bug: 70942310 Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-09 12:15:22 +01:00
# TODO(primiano): temporarily I/O tracing categories are still
Update language to comply with Android's inclusive language guidance See https://source.android.com/setup/contribute/respectful-code for reference Bug: 161896447 Change-Id: I0caf39b349c48e44123775d98c52a773b0b504ff
2020-07-31 20:28:11 +02:00
# userdebug only until we nail down the denylist/allowlist.
Allow perfetto traced_probes to access tracefs on user Allows the traced_probes daemon to access the core ftrace functionalities on user builds. Specifically this involves: - Whitelisting the per_cpu/ subdirectory to access: 1) trace_pipe_raw file to allow perfetto to read the raw ftrace buffer (rather than the text-based /trace endpoint) 2) cpuX/stats and cpuX/buffer_size_kb that allow to tune the buffer size per-cpu pipe and to get basic statistics about the ftrace buffer (#events, overruns) - Whitelistiing the full event directories rather than the /enable files. This gives also access to the /format files for the events that are already enabled on user builds. /format files simply describe the memory layout of the binary logs. Example: https://ghostbin.com/paste/f8m4k This still does NOT allow enabling the events labeled as "_debug" (mostly events that return activity on inodes). We'll deal with that separately as soon as we get a POC of inode resolution and a sensible blacklist/whitelist model. Bug: 70942310 Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-09 12:15:22 +01:00
userdebug_or_eng(`
traced_probes: Read tracefs directories in userdebug Allow traced_probes to read /sys/kernel/debug/tracing directories in userdebug mode. We read the directory when enabling events with the wild card syntax: "oom/*" which attmpts to read the directory /sys/kernel/debug/tracing/events/oom to work out what oom events exist. Denial: avc: denied { read } for name="oom" dev="tracefs" ino=11353 scontext=u:r:traced_probes:s0 tcontext=u:object_r:debugfs_tracing_debug:s0 tclass=dir permissive=0 Bug: 119662403 Test: perfetto -t 10s 'oom/*' -o /data/misc/perfetto-traces/trace Change-Id: I2cb171c3c5292d2eb55e71376f965b924a563572
2018-12-06 19:32:23 +01:00
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
Allow perfetto traced_probes to access tracefs on user Allows the traced_probes daemon to access the core ftrace functionalities on user builds. Specifically this involves: - Whitelisting the per_cpu/ subdirectory to access: 1) trace_pipe_raw file to allow perfetto to read the raw ftrace buffer (rather than the text-based /trace endpoint) 2) cpuX/stats and cpuX/buffer_size_kb that allow to tune the buffer size per-cpu pipe and to get basic statistics about the ftrace buffer (#events, overruns) - Whitelistiing the full event directories rather than the /enable files. This gives also access to the /format files for the events that are already enabled on user builds. /format files simply describe the memory layout of the binary logs. Example: https://ghostbin.com/paste/f8m4k This still does NOT allow enabling the events labeled as "_debug" (mostly events that return activity on inodes). We'll deal with that separately as soon as we get a POC of inode resolution and a sensible blacklist/whitelist model. Bug: 70942310 Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-09 12:15:22 +01:00
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
')
# Allow traced_probes to start with a higher scheduling class and then downgrade
# itself.
allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access
r_dir_file(traced_probes, domain)
Allow tracing service to access kallsyms on userdebug This CL allows the traced_probes service to temporarily lower kptr_restrict and read /proc/kallsyms. This is allowed only on userdebug/eng builds. The lowering of kptr_restrict is done via an init property because the kernel checks that the kptr_restrict writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1]. [1] https://github.com/torvalds/linux/blob/4cbffc461ec91287c4cb1d0e27b01b988d0b8fba/kernel/sysctl.c#L2254 Bug: 136133013 Design doc: go/perfetto-kallsyms Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882 Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c
2020-10-09 10:15:10 +02:00
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
# map reading /proc/kallsyms.
userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
allow traced_probes proc_kallsyms:file r_file_perms;
Allow traced_probes to read packages.list. Bug:123186697 Change-Id: Ifa480ae42f00740a39b8126e8fa6fd2120ac9b61
2019-04-02 17:19:09 +02:00
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
SEPolicy: Add read permission to traced_probes Allow traced_probes to read file /data/system/game_mode_intervention.list Bug: 219543620 Doc: go/game-dashboard-information-to-perfetto Test: manual Change-Id: I16962d2e544959d00a8d4cf32e6ca9c5bef73064
2022-04-02 00:16:14 +02:00
# Allow to read game_mode_intervention.list file.
allow traced_probes game_mode_intervention_list_file:file r_file_perms;
selinux: allow Perfetto traced_probes to write into kmesg This is to allow to leave audit trails in dmesg to cross-correlate kernel panics with perfetto ftrace activity. Bug: 73340039 Change-Id: I575a537553adc75378783c37c84350581250614d
2018-02-16 14:54:41 +01:00
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
Allow traced_probes to list the system partition Relevant denies: [ 2.560660] type=1400 audit(1519404055.529:9): avc: denied { read } for pid=896 comm=traced_probes name=system dev=sda22 ino=17 scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Allowing only read then gives: [ 2.554718] type=1400 audit(1519404863.506:9): avc: denied { open } for pid=890 comm="traced_probes" path="/system" dev="sda22" ino=17 scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Test: flashed and ran directory listing code. Bug: 73625480
2018-02-23 17:47:38 +01:00
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
# Allow traced_probes to list some of the data partition.
sepolicy: Fix references to self:capability commit 9b2e0cbeeaae560b07e4ffa6e5b8e505699e4a76 added a new self:global_capability_class_set macro that covers both self:capability and self:cap_userns. Apply the new macro to various self:capability references that have cropped up since then. Bug: 112307595 Test: policy diff shows new rules are all cap_userns Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-15 21:34:20 +02:00
allow traced_probes self:global_capability_class_set dac_read_search;
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
Grant traced_probes search on directories. This is needed to be able to scan the labels we have permission on. Denial: 04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0 Bug: 73625480
2018-04-06 13:55:22 +02:00
allow traced_probes apk_data_file:dir { getattr open read search };
Permissions for odrefresh and /data/misc/apexdata/com.android.art odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2020-10-16 16:29:55 +02:00
allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
Grant traced_probes search on directories. This is needed to be able to scan the labels we have permission on. Denial: 04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0 Bug: 73625480
2018-04-06 13:55:22 +02:00
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
userdebug_or_eng(`
Allow traced_probes to read packages.list. Bug:123186697 Change-Id: Ifa480ae42f00740a39b8126e8fa6fd2120ac9b61
2019-04-02 17:19:09 +02:00
# search and getattr are granted via domain and coredomain, respectively.
allow traced_probes system_data_file:dir { open read };
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
')
Grant traced_probes search on directories. This is needed to be able to scan the labels we have permission on. Denial: 04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0 Bug: 73625480
2018-04-06 13:55:22 +02:00
allow traced_probes system_app_data_file:dir { getattr open read search };
allow traced_probes backup_data_file:dir { getattr open read search };
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
Split user_profile_data_file label. user_profile_data_file is mlstrustedobject. And it needs to be, because we want untrusted apps to be able to write to their profile files, but they do not have levels. But now we want to apply levels in the parent directories that have the same label, and we want them to work so they need to not be MLS-exempt. To resolve that we introduce a new label, user_profile_root_file, which is applied to those directories (but no files). We grant mostly the same access to the new label as directories with the existing label. Apart from appdomain, almost every domain which accesses user_profile_data_file, and now user_profile_root_file, is already mlstrustedsubject and so can't be affected by this change. The exception is postinstall_dexopt which we now make mlstrustedobject. Bug: 141677108 Bug: 175311045 Test: Manual: flash with wipe Test: Manual: flash on top of older version Test: Manual: install & uninstall apps Test: Manual: create & remove user Test: Presubmits. Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-04 15:07:52 +01:00
allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
Reland: perfetto: allow traced_probes to execute atrace This CL adds the SELinux permissions required to execute atrace and get userspace tracing events from system services. This is to enable tracing of events coming from surfaceflinger, audio HAL, etc. atrace, when executed, sets a bunch of debug.atrace. properties and sends an IPC via binder/hwbinder to tell the services to reload that property. This CL does NOT affect systrace. In that case (i.e. when atrace is executed from adb/shell) atrace still runs in the shell domain and none of those changes apply. Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e Bug: b/73340039
2018-03-02 20:27:06 +01:00
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout This CL adds rules to allow traced_probes to dup a pipe as the stderr for atrace and also send a sigkill to atrace after a timeout. This fixes b/119656920 Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
2018-11-16 13:17:24 +01:00
# Allow traced_probes to kill atrace on timeout.
allow traced_probes atrace:process sigkill;
Reland: perfetto: allow traced_probes to execute atrace This CL adds the SELinux permissions required to execute atrace and get userspace tracing events from system services. This is to enable tracing of events coming from surfaceflinger, audio HAL, etc. atrace, when executed, sets a bunch of debug.atrace. properties and sends an IPC via binder/hwbinder to tell the services to reload that property. This CL does NOT affect systrace. In that case (i.e. when atrace is executed from adb/shell) atrace still runs in the shell domain and none of those changes apply. Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e Bug: b/73340039
2018-03-02 20:27:06 +01:00
Allow perfetto traced_probes to poll /proc/{meminfo,stat,vmstat,...} This allows the trace producer daemon to snapshot counters at high frequency in the trace. As usual for Perfetto, this data is NOT made available to arbitrary apps but only to an extremely limited subset of processes governed by selinux rules (currently shell and statsd). Bug: 115956288 Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
2018-09-18 09:51:06 +02:00
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
# system apps that have access to the traced consumer socket.
allow traced_probes {
proc_meminfo
proc_vmstat
proc_stat
traced_probes: allow perfetto to read buddyinfo proc entry Allow perfetto to read the /proc/buddyinfo entry to trace memory fragmentation of the system over time. Test: Manual: Capture perfetto buddyinfo traces Signed-off-by: Derek Smith <dpsmith@google.com> Change-Id: If2336377ae241668496d2caf81c6eac6b50dd2ff
2022-08-04 22:21:37 +02:00
proc_buddyinfo
traced_probes: allow perfetto to read /proc/pressure entries Allow perfetto to read /proc/pressure/* entries for cpu/io/memory. Test: Capture perfetto psi traces manually Bug: 315152880 Change-Id: I08c3d3eca39ee65eb3f93d609a8ef7cf9c25f6a0
2023-12-11 23:37:32 +01:00
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
Allow perfetto traced_probes to poll /proc/{meminfo,stat,vmstat,...} This allows the trace producer daemon to snapshot counters at high frequency in the trace. As usual for Perfetto, this data is NOT made available to arbitrary apps but only to an extremely limited subset of processes governed by selinux rules (currently shell and statsd). Bug: 115956288 Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
2018-09-18 09:51:06 +02:00
}:file r_file_perms;
Allow traced_probes to read devfreq - Add dir read access to /sys/class/devfreq/ - Add file read access to /sys/class/devfreq/$DEVICE/cur_freq Resolves the following denials: W traced_probes: type=1400 audit(0.0:8): avc: denied { read } for name="devfreq" dev="sysfs" ino=28076 scontext=u:r:traced_probes:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0 W traced_probes: type=1400 audit(0.0:226): avc: denied { read } for name="cur_freq" dev="sysfs" ino=54729 scontext=u:r:traced_probes:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 See ag/14187061 for device specific sysfs_devfreq_cur labels Bug: 181850306 Test: ls -Z, record perfetto trace Change-Id: I23cebb16505313160e14b49e82e24da9b81cad70
2021-04-16 14:02:06 +02:00
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
allow traced_probes sysfs_devfreq_cur:file r_file_perms;
traced_probes: allow traced_probes to access diskstats info Test: check selinux log while perfetto I/O profiling Change-Id: I45247b72343c8bca219c7250c467c97e5dacab5c Signed-off-by: Daeho Jeong <daehojeong@google.com>
2023-04-03 22:01:00 +02:00
# Allow access to read /proc/diskstats for I/O profiling.
allow traced_probes proc_diskstats:file r_file_perms;
Allow traced_probes to access power rail data. Allows power rail data to be logged in the trace, allowing high fidelity attribution of battery power use. Matching feature CL: aosp/891533 SELinux denials that lead to this: avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder Test: checked data in a trace Bug: 122584217 Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
2019-03-13 18:08:43 +01:00
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
Allow traced_probes to access battery coulomb counters Allows battery counters to be logged in the trace. This is to allow high fidelity attribution of battery power. Matching feature CL: aosp/838951 SELinux denials that lead to this: avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 duplicate messages suppressed avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1 avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1 avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { getattr } for comm="hwservicemanage" scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=process permissive=1 Bug: 113076327 Change-Id: I4aabd0d70025105320c4a8d34470098807d56899
2018-12-02 22:59:10 +01:00
hal_client_domain(traced_probes, hal_health)
Allow traced_probes to access power rail data. Allows power rail data to be logged in the trace, allowing high fidelity attribution of battery power use. Matching feature CL: aosp/891533 SELinux denials that lead to this: avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder Test: checked data in a trace Bug: 122584217 Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
2019-03-13 18:08:43 +01:00
hal_client_domain(traced_probes, hal_power_stats)
Allow traced_probes to access battery coulomb counters Allows battery counters to be logged in the trace. This is to allow high fidelity attribution of battery power. Matching feature CL: aosp/838951 SELinux denials that lead to this: avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 duplicate messages suppressed avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1 avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1 avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1 avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1 avc: denied { getattr } for comm="hwservicemanage" scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=process permissive=1 Bug: 113076327 Change-Id: I4aabd0d70025105320c4a8d34470098807d56899
2018-12-02 22:59:10 +01:00
Allow traced_probes access to atrace HAL 03-26 10:34:53.532 585 585 E SELinux : avc: denied { find } for interface=android.hardware.atrace::IAtraceDevice sid=u:r:traced_probes:s0 pid=917 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hal_atrace_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 127378737 Test: manually Change-Id: Icfeee8e8d62c9e11072d4f8cc1d04f256b9636c5
2019-03-26 12:03:35 +01:00
# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
hal_client_domain(traced_probes, hal_atrace)
Allow perfetto to ingest logs on userdebug/eng When recording hour-long traces, logcat messages help to interpret the trace, giving human readable context on what is happening on the system. Furthermore this is particularly helpful for startup debugging thanks to activity manager instrumentation events (am_on_create_called, am_on_start, ...). This is only allowed on userdebug/eng builds. Bug: 122243384 Change-Id: I4dfaebf21107e9853b0bf42403fbab6c3b4d5141
2019-01-10 21:07:51 +01:00
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
Allow traced_probes to subscribe to statsd atoms Denials: SELinux : avc: denied { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0 traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1 traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1 binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1 See go/ww-atom-subscriber-api Testing steps: Patch ag/21985690 Run: $ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg $ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb $ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb $ out/linux_clang_debug/traceconv text statsd.pb Check logcat for denials. Test: See above Bug: 268661096 Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
2023-03-22 09:14:38 +01:00
# Allow traced_probes to talk to statsd for logging metrics and recording atoms.
sepolicy: allow traced_probes to access statsd socket This allows us to log metrics from traced_probes to statsd for failures. This is required for implementation of go/perfetto-failure-stats. This matches the CL aosp/1690788 which adds the initial logging to traced_probes. This solves the following denied message from logcat: avc: denied { write } for comm="traced_probes" name="statsdw" scontext=u:r:traced_probes:s0 tcontext=u:object_r:statsdw_socket:s0 Bug: 177215620 Change-Id: I1523df818562f839b28061ef88f1910d4745a289
2021-04-30 13:13:39 +02:00
unix_socket_send(traced_probes, statsdw, statsd)
Allow traced_probes to subscribe to statsd atoms Denials: SELinux : avc: denied { find } for pid=1279 uid=9999 name=stats scontext=u:r:traced_probes:s0 tcontext=u:object_r:stats_service:s0 tclass=service_manager permissive=0 traced_probes: type=1400 audit(0.0:11): avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1 traced_probes: type=1400 audit(0.0:12): avc: denied { transfer } for scontext=u:r:traced_probes:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1 binder:1076_7: type=1400 audit(0.0:13): avc: denied { call } for scontext=u:r:statsd:s0 tcontext=u:r:traced_probes:s0 tclass=binder permissive=1 See go/ww-atom-subscriber-api Testing steps: Patch ag/21985690 Run: $ adb push test/configs/statsd.cfg /data/misc/perfetto-configs/statsd.cfg $ adb shell perfetto --txt -c /data/misc/perfetto-configs/statsd.cfg -o /data/misc/perfetto-traces/statsd.pb $ adb pull /data/misc/perfetto-traces/statsd.pb statsd.pb $ out/linux_clang_debug/traceconv text statsd.pb Check logcat for denials. Test: See above Bug: 268661096 Change-Id: I58045b55ca8a4aa6f00774cc2d72d7b10a232922
2023-03-22 09:14:38 +01:00
binder_call(traced_probes, statsd)
allow traced_probes stats_service:service_manager find;
sepolicy: allow traced_probes to access statsd socket This allows us to log metrics from traced_probes to statsd for failures. This is required for implementation of go/perfetto-failure-stats. This matches the CL aosp/1690788 which adds the initial logging to traced_probes. This solves the following denied message from logcat: avc: denied { write } for comm="traced_probes" name="statsdw" scontext=u:r:traced_probes:s0 tcontext=u:object_r:statsdw_socket:s0 Bug: 177215620 Change-Id: I1523df818562f839b28061ef88f1910d4745a289
2021-04-30 13:13:39 +02:00
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
###
### Neverallow rules
###
### traced_probes should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced_probes self:process execmem;
# Block device access.
neverallow traced_probes dev_type:blk_file { read write };
# ptrace any other app
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
selinux: allow Perfetto traced_probes to write into kmesg This is to allow to leave audit trails in dmesg to cross-correlate kernel panics with perfetto ftrace activity. Bug: 73340039 Change-Id: I575a537553adc75378783c37c84350581250614d
2018-02-16 14:54:41 +01:00
neverallow traced_probes {
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
data_file_type
Permissions for odrefresh and /data/misc/apexdata/com.android.art odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2020-10-16 16:29:55 +02:00
-apex_module_data_file
-apex_art_data_file
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
-apk_data_file
-dalvikcache_data_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
-system_data_file
Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-08-02 00:57:47 +02:00
-system_data_root_file
Restrict creating per-user encrypted directories Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
-system_app_data_file
-backup_data_file
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
Split user_profile_data_file label. user_profile_data_file is mlstrustedobject. And it needs to be, because we want untrusted apps to be able to write to their profile files, but they do not have levels. But now we want to apply levels in the parent directories that have the same label, and we want them to work so they need to not be MLS-exempt. To resolve that we introduce a new label, user_profile_root_file, which is applied to those directories (but no files). We grant mostly the same access to the new label as directories with the existing label. Apart from appdomain, almost every domain which accesses user_profile_data_file, and now user_profile_root_file, is already mlstrustedsubject and so can't be affected by this change. The exception is postinstall_dexopt which we now make mlstrustedobject. Bug: 141677108 Bug: 175311045 Test: Manual: flash with wipe Test: Manual: flash on top of older version Test: Manual: install & uninstall apps Test: Manual: create & remove user Test: Presubmits. Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-04 15:07:52 +01:00
-user_profile_root_file
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
-user_profile_data_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
}:dir *;
SELinux changes for I/O tracing. See also go/perfetto-io-tracing-security. * Grant CAP_DAC_READ_SEARCH to traced_probes. * Allow traced_probes to list selected labels. * Change ext4 and f2fs events to be available on user builds. Bug: 74584014 Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-02 11:52:56 +01:00
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
neverallow traced_probes {
data_file_type
-packages_list_file
with_native_coverage(`-method_trace_data_file')
SEPolicy: Add read permission to traced_probes Allow traced_probes to read file /data/system/game_mode_intervention.list Bug: 219543620 Doc: go/game-dashboard-information-to-perfetto Test: manual Change-Id: I16962d2e544959d00a8d4cf32e6ca9c5bef73064
2022-04-02 00:16:14 +02:00
-game_mode_intervention_list_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
}:file *;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
Sepolicy for mm events trace instance Allow traced_probes read write access to configure mm_events trace instance and poll trace_pipe_raw Bug: 155928119 Test: No denials in logcat Change-Id: Ib65ab2e7be8daa6b8c412ffea909072583db7002
2021-01-15 17:12:56 +01:00
Reference in a new issue Copy permalink