Merge "SELinux policies for Perfetto cmdline client (/system/bin/perfetto)" am: 426b1b468b
am: ca878c26f6
am: e6b630e8d0
Change-Id: Ib8eb4514e0e8abe7eb6b090c70b508a9f18f9e30
This commit is contained in:
commit
1bd6104aa5
8 changed files with 91 additions and 3 deletions
|
@ -59,6 +59,10 @@
|
|||
network_watchlist_data_file
|
||||
network_watchlist_service
|
||||
package_native_service
|
||||
perfetto
|
||||
perfetto_exec
|
||||
perfetto_tmpfs
|
||||
perfetto_traces_data_file
|
||||
perfprofd_service
|
||||
property_info
|
||||
slice_service
|
||||
|
|
|
@ -9,3 +9,6 @@ type storaged_data_file, file_type, data_file_type, core_data_file_type;
|
|||
|
||||
# /data/misc/wmtrace for wm traces
|
||||
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /data/misc/perfetto-traces for perfetto traces
|
||||
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
|
|
@ -244,6 +244,7 @@
|
|||
/system/bin/usbd u:object_r:usbd_exec:s0
|
||||
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
|
||||
/system/bin/logd u:object_r:logd_exec:s0
|
||||
/system/bin/perfetto u:object_r:perfetto_exec:s0
|
||||
/system/bin/traced u:object_r:traced_exec:s0
|
||||
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
|
||||
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
|
||||
|
@ -389,6 +390,7 @@
|
|||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||
/data/misc/net(/.*)? u:object_r:net_data_file:s0
|
||||
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
|
||||
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
|
||||
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
|
||||
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
|
||||
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
|
||||
|
|
60
private/perfetto.te
Normal file
60
private/perfetto.te
Normal file
|
@ -0,0 +1,60 @@
|
|||
# Perfetto command-line client. Can be used only from the domains that are
|
||||
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
||||
# This command line client accesses the privileged socket of the traced
|
||||
# daemon.
|
||||
|
||||
type perfetto, domain, coredomain;
|
||||
type perfetto_exec, exec_type, file_type;
|
||||
|
||||
tmpfs_domain(perfetto);
|
||||
|
||||
# Allow to access traced's privileged consumer socket.
|
||||
unix_socket_connect(perfetto, traced_consumer, traced)
|
||||
|
||||
# Allow to write and unlink traces into /data/misc/perfetto-traces.
|
||||
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
|
||||
allow perfetto perfetto_traces_data_file:file create_file_perms;
|
||||
|
||||
# Allow to access binder to pass the traces to Dropbox.
|
||||
binder_use(perfetto)
|
||||
binder_call(perfetto, system_server)
|
||||
allow perfetto dropbox_service:service_manager find;
|
||||
|
||||
# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
|
||||
# print out on stdout/stderr.
|
||||
allow perfetto statsd:fd use;
|
||||
allow perfetto statsd:fifo_file { getattr read write };
|
||||
allow perfetto shell:fd use;
|
||||
allow perfetto shell:fifo_file { getattr read write };
|
||||
|
||||
# Allow to communicate use, read and write over the adb connection.
|
||||
allow perfetto adbd:fd use;
|
||||
allow perfetto adbd:unix_stream_socket { read write };
|
||||
|
||||
# allow adbd to reap perfetto
|
||||
allow perfetto adbd:process { sigchld };
|
||||
|
||||
# Allow to access /dev/pts when launched in an adb shell.
|
||||
allow perfetto devpts:chr_file rw_file_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### perfetto should NEVER do any of this
|
||||
|
||||
# Disallow mapping executable memory (execstack and exec are already disallowed
|
||||
# globally in domain.te).
|
||||
neverallow perfetto self:process execmem;
|
||||
|
||||
# Block device access.
|
||||
neverallow perfetto dev_type:blk_file { read write };
|
||||
|
||||
# ptrace any other process
|
||||
neverallow perfetto domain:process ptrace;
|
||||
|
||||
# Disallows access to other /data files.
|
||||
neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
|
||||
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
|
||||
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
|
||||
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
|
||||
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
|
|
@ -38,3 +38,12 @@ allow shell traced_tmpfs:file { read write getattr map };
|
|||
unix_socket_connect(shell, traced_producer, traced)
|
||||
|
||||
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
|
||||
|
||||
# Allow shell binaries to exec the perfetto cmdline util and have that
|
||||
# transition into its own domain, so that it behaves consistently to
|
||||
# when exec()-d by statsd.
|
||||
domain_auto_trans(shell, perfetto_exec, perfetto)
|
||||
|
||||
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
|
||||
allow shell perfetto_traces_data_file:dir rw_dir_perms;
|
||||
allow shell perfetto_traces_data_file:file r_file_perms;
|
||||
|
|
|
@ -37,8 +37,11 @@ binder_call(statsd, system_server)
|
|||
read_logd(statsd)
|
||||
control_logd(statsd)
|
||||
|
||||
# Allow to control Perfetto traced and consume its traces.
|
||||
unix_socket_connect(statsd, traced_consumer, traced)
|
||||
# Allow to exec the perfetto cmdline client and pass it the trace config on
|
||||
# stdint through a pipe. It allows statsd to capture traces and hand them
|
||||
# to Android dropbox.
|
||||
allow statsd perfetto_exec:file rx_file_perms;
|
||||
domain_auto_trans(statsd, perfetto_exec, perfetto)
|
||||
|
||||
# Grant statsd with permissions to register the services.
|
||||
allow statsd {
|
||||
|
|
|
@ -13,6 +13,9 @@ userdebug_or_eng(`
|
|||
# Put the incident command into its domain so it is the same on user, userdebug and eng.
|
||||
domain_auto_trans(su, incident_exec, incident)
|
||||
|
||||
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
|
||||
domain_auto_trans(su, perfetto_exec, perfetto)
|
||||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
|
|
|
@ -373,6 +373,11 @@ allow system_server dumpstate:fifo_file append;
|
|||
# with no DAC access to it, for dropbox to read.
|
||||
allow system_server incident_data_file:file read;
|
||||
|
||||
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
|
||||
# binder.
|
||||
allow system_server perfetto_traces_data_file:file read;
|
||||
allow system_server perfetto:fd use;
|
||||
|
||||
# Manage /data/backup.
|
||||
allow system_server backup_data_file:dir create_dir_perms;
|
||||
allow system_server backup_data_file:file create_file_perms;
|
||||
|
@ -825,4 +830,3 @@ neverallow system_server { domain -system_server }:process ptrace;
|
|||
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
|
||||
# file read access. However, that is now unnecessary (b/34951864)
|
||||
neverallow system_server system_server:global_capability_class_set sys_resource;
|
||||
|
||||
|
|
Loading…
Reference in a new issue