platform_system_sepolicy/private/traced.te

# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain, mlstrustedsubject;
type traced_exec, exec_type, file_type;

# Allow init to exec the daemon.
init_daemon_domain(traced)

# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
typeattribute traced_tmpfs mlstrustedobject;

# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };

# Allow to pass a file descriptor for the output trace from "perfetto" (the
# cmdline client) and other shell binaries to traced and let traced write
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
allow traced perfetto_traces_data_file:file { read write };

###
### Neverallow rules
###
### traced should NEVER do any of this

# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;

# Block device access.
neverallow traced dev_type:blk_file { read write };

# ptrace any other process
neverallow traced domain:process ptrace;

# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced {
  data_file_type
  -system_data_file
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
  -zoneinfo_data_file
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
  data_file_type
  -zoneinfo_data_file
  -perfetto_traces_data_file
}:file ~write;

# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00			`# Perfetto user-space tracing daemon (unprivileged)`
perfetto: Make producer socket MLS-aware The previous selinux rules obtained via audit2allow didn't really work with the case of apps connecting to the producer socket, despite all the allow rules being correctly in place. This was failing our CTS tests. The reason for the failure (see denials pasted below) is due to Multi Level Security (for multi-user), which was still preventing apps form a different level to connect to the traced producer socket and write to the shmem buffers they get passed back. This CL tags the objects being accessed as mlstrusted. CTS tests pass with this CL. Denials: avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1 Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383 Bug: 73340039 Test: CtsPerfettoTestCases 2018-02-21 14:44:39 +01:00			`type traced, domain, coredomain, mlstrustedsubject;`
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00			`type traced_exec, exec_type, file_type;`

			`# Allow init to exec the daemon.`
			`init_daemon_domain(traced)`

perfetto: Make producer socket MLS-aware The previous selinux rules obtained via audit2allow didn't really work with the case of apps connecting to the producer socket, despite all the allow rules being correctly in place. This was failing our CTS tests. The reason for the failure (see denials pasted below) is due to Multi Level Security (for multi-user), which was still preventing apps form a different level to connect to the traced producer socket and write to the shmem buffers they get passed back. This CL tags the objects being accessed as mlstrusted. CTS tests pass with this CL. Denials: avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1 avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1 Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383 Bug: 73340039 Test: CtsPerfettoTestCases 2018-02-21 14:44:39 +01:00			`# Allow apps in other MLS contexts (for multi-user) to access`
			`# share memory buffers created by traced.`
			`typeattribute traced_tmpfs mlstrustedobject;`

Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00			`# Allow traced to start with a lower scheduling class and change`
			`# class accordingly to what defined in the config provided by`
			`# the privileged process that controls it.`
			`allow traced self:global_capability_class_set { sys_nice };`

perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2 2018-03-26 02:54:52 +02:00			`# Allow to pass a file descriptor for the output trace from "perfetto" (the`
			`# cmdline client) and other shell binaries to traced and let traced write`
			`# directly into that (rather than returning the trace contents over the socket).`
			`allow traced perfetto:fd use;`
			`allow traced shell:fd use;`
			`allow traced perfetto_traces_data_file:file { read write };`

Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00			`###`
			`### Neverallow rules`
			`###`
			`### traced should NEVER do any of this`

			`# Disallow mapping executable memory (execstack and exec are already disallowed`
			`# globally in domain.te).`
			`neverallow traced self:process execmem;`

			`# Block device access.`
			`neverallow traced dev_type:blk_file { read write };`

			`# ptrace any other process`
			`neverallow traced domain:process ptrace;`

			`# Disallows access to /data files, still allowing to write to file descriptors`
			`# passed through the socket.`
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34 2018-02-08 01:29:06 +01:00			`neverallow traced {`
			`data_file_type`
			`-system_data_file`
			`# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a`
			`# subsequent neverallow. Currently only getattr and search are allowed.`
			`-vendor_data_file`
			`-zoneinfo_data_file`
			`}:dir *;`
			`neverallow traced { system_data_file }:dir ~{ getattr search };`
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00			`neverallow traced zoneinfo_data_file:dir ~r_dir_perms;`
			`neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;`
perfetto: allow traced to write into FDs received by the client This allows an optimization that consists in the "perfetto" cmdline client passing directly the file descriptor for the output trace to traced (as opposite to having traced streaming back the trace data to "perfetto" and having that one doing the write() into file). This reduces sensibly the memory traffic and CPU overhead of traces with a minor change. Bug: 73625179 Test: builds + perfetto_integrationtests w/ long_trace.cfg Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2 2018-03-26 02:54:52 +02:00			`neverallow traced {`
			`data_file_type`
			`-zoneinfo_data_file`
			`-perfetto_traces_data_file`
			`}:file ~write;`
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405 2017-12-21 03:51:15 +01:00
			`# Only init is allowed to enter the traced domain via exec()`
			`neverallow { domain -init } traced:process transition;`
			`neverallow * traced:process dyntransition;`