From 008465e5ec0603f9ce610584d42fba67e73ebfc5 Mon Sep 17 00:00:00 2001 From: Ryan Savitski Date: Wed, 19 Feb 2020 14:59:17 +0000 Subject: [PATCH] traced_perf sepolicy tweaks * allow shell to enable/disable the daemon via a sysprop * don't audit signals, as some denials are expected * exclude zygote from the profileable set of targets on debug builds. I've not caught any crashes in practice, but believe there's a possibility that the zygote forks while holding a non-whitelisted fd due to the signal handler. Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1 --- private/compat/29.0/29.0.ignore.cil | 1 + private/domain.te | 4 +++- private/property_contexts | 1 + private/traced_perf.te | 5 +++++ public/property.te | 1 + public/shell.te | 3 +++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil index f9a41e1bb..7063152ef 100644 --- a/private/compat/29.0/29.0.ignore.cil +++ b/private/compat/29.0/29.0.ignore.cil @@ -93,6 +93,7 @@ system_unsolzygote_socket tethering_service traced_perf + traced_perf_enabled_prop traced_perf_socket timezonedetector_service untrusted_app_29 diff --git a/private/domain.te b/private/domain.te index f54f2c965..32b40c179 100644 --- a/private/domain.te +++ b/private/domain.te @@ -29,7 +29,8 @@ userdebug_or_eng(`can_profile_heap_userdebug_or_eng({ })') # As above, allow perf profiling most processes on debug builds. -# Do not diverge the two lists without a really good reason. +# zygote is excluded as system-wide profiling could end up with it +# (unexpectedly) holding an open fd across a fork. userdebug_or_eng(`can_profile_perf({ domain -bpfloader @@ -45,6 +46,7 @@ userdebug_or_eng(`can_profile_perf({ -ueventd -vendor_init -vold + -zygote })') # Path resolution access in cgroups. diff --git a/private/property_contexts b/private/property_contexts index 6315c888f..cba09a536 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -77,6 +77,7 @@ persist.security. u:object_r:system_prop:s0 persist.traced.enable u:object_r:traced_enabled_prop:s0 traced.lazy. u:object_r:traced_lazy_prop:s0 persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0 +persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0 persist.vendor.overlay. u:object_r:overlay_prop:s0 ro.boot.vendor.overlay. u:object_r:overlay_prop:s0 ro.boottime. u:object_r:boottime_prop:s0 diff --git a/private/traced_perf.te b/private/traced_perf.te index 7a78d7904..9483e6cb4 100644 --- a/private/traced_perf.te +++ b/private/traced_perf.te @@ -36,6 +36,11 @@ r_dir_file(traced_perf, vendor_file_type) # domains that it cannot read. dontaudit traced_perf domain:dir { search getattr open }; +# Do not audit failures to signal a process, as there are cases when this is +# expected (native processes on debug builds use the policy for enforcing which +# processes are profileable). +dontaudit traced_perf domain:process signal; + # Never allow access to app data files neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *; diff --git a/public/property.te b/public/property.te index 469666881..21e220d6c 100644 --- a/public/property.te +++ b/public/property.te @@ -22,6 +22,7 @@ system_internal_prop(pm_prop) system_internal_prop(userspace_reboot_log_prop) system_internal_prop(system_adbd_prop) system_internal_prop(adbd_prop) +system_internal_prop(traced_perf_enabled_prop) compatible_property_only(` # DO NOT ADD ANY PROPERTIES HERE diff --git a/public/shell.te b/public/shell.te index 0a9746599..79d5c89b3 100644 --- a/public/shell.te +++ b/public/shell.te @@ -78,6 +78,9 @@ userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') # Allow shell to start/stop heapprofd via the persist.heapprofd.enable # property. set_prop(shell, heapprofd_enabled_prop) +# Allow shell to start/stop traced_perf via the persist.traced_perf.enable +# property. +set_prop(shell, traced_perf_enabled_prop) # Allow shell to start/stop gsid via ctl.start|stop|restart gsid. set_prop(shell, ctl_gsid_prop) # Allow shell to enable Dynamic System Update