tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/traced.te

121 lines
4.3 KiB
Text
Raw Normal View History

Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Perfetto user-space tracing daemon (unprivileged)
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 19:21:37 +02:00
type traced_exec, system_file_type, exec_type, file_type;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Allow init to exec the daemon.
init_daemon_domain(traced)
Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit e16fb9109c678f47aa7698605477d9a6baf398fb)
2019-01-24 00:07:40 +01:00
tmpfs_domain(traced)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
perfetto: Make producer socket MLS-aware The previous selinux rules obtained via audit2allow didn't really work with the case of apps connecting to the producer socket, despite all the allow rules being correctly in place. This was failing our CTS tests. The reason for the failure (see denials pasted below) is due to Multi Level Security (for multi-user), which was still preventing apps form a different level to connect to the traced producer socket and write to the shmem buffers they get passed back. This CL tags the objects being accessed as mlstrusted. CTS tests pass with this CL. Denials: avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1 Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383 Bug: 73340039 Test: CtsPerfettoTestCases
2018-02-21 14:44:39 +01:00
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
typeattribute traced_tmpfs mlstrustedobject;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };
perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
2018-03-26 02:54:52 +02:00
# Allow to pass a file descriptor for the output trace from "perfetto" (the
# cmdline client) and other shell binaries to traced and let traced write
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
Fix perfetto CTS test The test was failing because of a selinux denial. This adds the required rule. Test: atest (previously failing CTS test passed) Change-Id: Ieb99f9ab4c6014a3d0aa1fe6c6fb6b82fa9b7631
2019-01-21 19:54:45 +01:00
allow traced shell:fifo_file { read write };
Allow traced to create files within /data/misc/perfetto-traces Together with aosp/1282157 this change allows the service to create trace files in the /data/misc/perfetto-traces folder. Before this change they needed to be created by the perfetto cmdline client and pass the FD. This doesn't work for host tools like Android GPU Inspector (https://gpuinspector.dev/) which talk to the UNIX socket over adb forward and cannot pass a FD from the host. Bug: 153519149 Test: manual: adb shell perfetto --txt -c - buffers { size_kb: 65536 } data_sources { config { name: "linux.ftrace" ftrace_config { ftrace_events: "sched_switch" } } } duration_ms: 5000 write_into_file: true output_path: "/data/misc/perfetto-traces/ttt" Change-Id: I184329805741654983843e6a29c1fac19a836f59
2020-04-08 21:31:21 +02:00
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
Allow iorapd to access perfetto This requires moving the type declaration of perfetto traced to public, because iorapd needs to refer to it. Denials without this CL: https://pastebin.com/raw/sxHMeLEU Bug: 72170747 Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \ -v --output-proto /data/misc/iorapd/test 2. Check that no selinux denials other than avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1 show up (this is a side-effect of runcon). Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
2019-01-23 21:42:16 +01:00
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
Add selinux rules for detachable perfetto process. This appears to be the minimum change required to accommodate Traceur running the detachable Perfetto process. Bug: 116754732 Test: Started a perfetto trace using --detach and it started successfully. Change-Id: I12881ae343389abdcc74af5f11ecbac99b03ef7c
2019-01-10 21:17:40 +01:00
allow traced trace_data_file:file { read write };
perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
2018-03-26 02:54:52 +02:00
Configure sepolicy for TracingServiceProxy Configures sepolicy to allow for the new TracingServiceProxy system services, and to allow Perfetto to access the service. Bug: 175591887 Test: Validated the service started successfullyy, and invoked via CLI Change-Id: Idb6438948a9d96063f8455544b97ef66267cde23
2020-12-11 23:51:32 +01:00
# Allow perfetto to access the proxy service for notifying Traceur.
allow traced tracingproxy_service:service_manager find;
binder_use(traced);
binder_call(traced, system_server);
perfetto: allow producers to supply shared memory This concerns the data transfer between an untrusted producer process, and the tracing service (traced daemon). They communicate over a combination of a unix socket and shared memory. Normally, the service creates the shared memory region, and hands it off to the producer process (see perfetto_producer() macro). This patch allows for an alternative scheme, where the producer process is allowed to create the shared memory region, which will then be adopted by the tracing service. The service already inherently doesn't trust the producer, so it'll validate that the shared memory is appropriately sealed before using it. The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But this mode has advantages (e.g. being able to write to the shared memory before connecting) for other producer domains as well. Bug: 148841422 Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 14:44:14 +01:00
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
# creates the shared memory, that is then adopted by traced (after validating
# that it is appropriately sealed).
# This list has to replicate the tmpfs domains of all applicable domains that
# have perfetto_producer() macro applied to them.
# perfetto_tmpfs excluded as it should never need to use the producer-supplied
# shared memory scheme.
allow traced {
appdomain_tmpfs
heapprofd_tmpfs
surfaceflinger_tmpfs
traced_probes_tmpfs
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
Allow traced to notify traceur via property This CL introduces allows traced to set the sys.traceur.trace_end_signal property at the end of the tracer. In turn that property notifies the the Traceur app. This is to allowing Traceur to be killed during a long-trace and avoid wasting resources making it a persistent service. See aosp/886616 for the matching traceur change. Test: manual Bug: 116754732 Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
2019-02-01 23:52:02 +01:00
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
Allow traced to lazily start heapprofd. Bug: 126724929 Change-Id: I15f0ae10d5e45fc65850635230e377b6f77ad4d7
2019-03-13 19:22:23 +01:00
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
Sysprop for the count of active OOME tracing sessions In order for ART code to call perfetto DataSource::Trace() we need to wait for all data source instances to have completed their setup. To do so, we need to know how many of them exist. This introduces a new sysprop traced.oome_heap_session.count, writeable by perfetto traced and readable by apps and system_server that can be used to communicate this. See go/art-oom-heap-dump for more details Test: manual, atest HeapprofdJavaCtsTest Bug: 269246893 Change-Id: Ib8220879a40854f98bc2f550ff2e7ebf3e077756
2023-02-10 18:52:19 +01:00
# Allow tracking the count of sessions intercepting Java OutOfMemoryError
# If there are such tracing sessions and an OutOfMemoryError is thrown by ART,
# the hprof plugin intercepts the error, lazily registers a data source to
# traced and collects a heap dump.
set_prop(traced, traced_oome_heap_session_count_prop)
Allow traced to notify traceur via property This CL introduces allows traced to set the sys.traceur.trace_end_signal property at the end of the tracer. In turn that property notifies the the Traceur app. This is to allowing Traceur to be killed during a long-trace and avoid wasting resources making it a persistent service. See aosp/886616 for the matching traceur change. Test: manual Bug: 116754732 Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
2019-02-01 23:52:02 +01:00
sepolicy: allow traced to access statsd socket This allows us to log metrics from traced to statsd for failures. This is required for implementation of go/perfetto-failure-stats. This matches the CL aosp/1512303 which adds the initial logging to traced. This solves the following denied message from logcat: avc: denied { write } for name="statsdw" scontext=u:r:traced:s0 tcontext=u:object_r:statsdw_socket:s0 Bug: 177215620 Change-Id: I4cc613c3a8f4d75c4a5c232b996f8a6cffd3ba9d
2020-12-16 19:45:31 +01:00
# Allow traced to talk to statsd for logging metrics.
unix_socket_send(traced, statsdw, statsd)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
###
### Neverallow rules
###
### traced should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;
# Block device access.
neverallow traced dev_type:blk_file { read write };
# ptrace any other process
neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
neverallow traced {
data_file_type
Allow traced to create files within /data/misc/perfetto-traces Together with aosp/1282157 this change allows the service to create trace files in the /data/misc/perfetto-traces folder. Before this change they needed to be created by the perfetto cmdline client and pass the FD. This doesn't work for host tools like Android GPU Inspector (https://gpuinspector.dev/) which talk to the UNIX socket over adb forward and cannot pass a FD from the host. Bug: 153519149 Test: manual: adb shell perfetto --txt -c - buffers { size_kb: 65536 } data_sources { config { name: "linux.ftrace" ftrace_config { ftrace_events: "sched_switch" } } } duration_ms: 5000 write_into_file: true output_path: "/data/misc/perfetto-traces/ttt" Change-Id: I184329805741654983843e6a29c1fac19a836f59
2020-04-08 21:31:21 +02:00
-perfetto_traces_data_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
-system_data_file
Root of /data belongs to init (re-landing) Give /data itself a different label to its contents, to ensure that only init creates files and directories there. This change originally landed as aosp/1106014 and was reverted in aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying problem, and with that we can re-land this change. Bug: 139190159 Bug: 140402208 Test: aosp boots, logs look good Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-08-02 00:57:47 +02:00
-system_data_root_file
Restrict creating per-user encrypted directories Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
2018-03-26 02:54:52 +02:00
neverallow traced {
data_file_type
-perfetto_traces_data_file
Add selinux rules for detachable perfetto process. This appears to be the minimum change required to accommodate Traceur running the detachable Perfetto process. Bug: 116754732 Test: Started a perfetto trace using --detach and it started successfully. Change-Id: I12881ae343389abdcc74af5f11ecbac99b03ef7c
2019-01-10 21:17:40 +01:00
-trace_data_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
2018-03-26 02:54:52 +02:00
}:file ~write;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
Ensure that only desired processes can access TracingServiceProxy This change adds a neverallow rule in traced.te to limit the processes that can find tracingproxy_service, the context for TracingServiceProxy. I wanted to avoid moving the tracingproxy_service definition to public, so there were a few services that are exempted from this neverallow rule. Bug: 191391382 Test: Manually verified that with this change, along with the other change in this topic, I see no errors when taking a bugreport while a Traceur trace is running. Change-Id: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
2021-06-24 01:53:45 +02:00
# Limit the processes that can access tracingproxy_service.
sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d
2021-12-10 22:50:44 +01:00
neverallow {
domain
-traced
-dumpstate
-traceur_app
-shell
-system_server
-perfetto
} tracingproxy_service:service_manager find;
Reference in a new issue Copy permalink