Merge "SELinux policies for Perfetto cmdline client (/system/bin/perfetto)" am: 426b1b468b am: ca878c26f6

am: e6b630e8d0

Change-Id: Ib8eb4514e0e8abe7eb6b090c70b508a9f18f9e30
This commit is contained in:
Primiano Tucci 2018-01-29 19:57:25 +00:00 committed by android-build-merger
commit 1bd6104aa5
8 changed files with 91 additions and 3 deletions

View file

@ -59,6 +59,10 @@
network_watchlist_data_file
network_watchlist_service
package_native_service
perfetto
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
perfprofd_service
property_info
slice_service

View file

@ -9,3 +9,6 @@ type storaged_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -244,6 +244,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@ -389,6 +390,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0

60
private/perfetto.te Normal file
View file

@ -0,0 +1,60 @@
# Perfetto command-line client. Can be used only from the domains that are
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
type perfetto, domain, coredomain;
type perfetto_exec, exec_type, file_type;
tmpfs_domain(perfetto);
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
# Allow to access binder to pass the traces to Dropbox.
binder_use(perfetto)
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
# print out on stdout/stderr.
allow perfetto statsd:fd use;
allow perfetto statsd:fifo_file { getattr read write };
allow perfetto shell:fd use;
allow perfetto shell:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
# allow adbd to reap perfetto
allow perfetto adbd:process { sigchld };
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
###
### Neverallow rules
###
### perfetto should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow perfetto self:process execmem;
# Block device access.
neverallow perfetto dev_type:blk_file { read write };
# ptrace any other process
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;

View file

@ -38,3 +38,12 @@ allow shell traced_tmpfs:file { read write getattr map };
unix_socket_connect(shell, traced_producer, traced)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file r_file_perms;

View file

@ -37,8 +37,11 @@ binder_call(statsd, system_server)
read_logd(statsd)
control_logd(statsd)
# Allow to control Perfetto traced and consume its traces.
unix_socket_connect(statsd, traced_consumer, traced)
# Allow to exec the perfetto cmdline client and pass it the trace config on
# stdint through a pipe. It allows statsd to capture traces and hand them
# to Android dropbox.
allow statsd perfetto_exec:file rx_file_perms;
domain_auto_trans(statsd, perfetto_exec, perfetto)
# Grant statsd with permissions to register the services.
allow statsd {

View file

@ -13,6 +13,9 @@ userdebug_or_eng(`
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
# su is also permissive to permit setenforce.
permissive su;

View file

@ -373,6 +373,11 @@ allow system_server dumpstate:fifo_file append;
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file read;
allow system_server perfetto:fd use;
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@ -825,4 +830,3 @@ neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;