Perfetto SELinux policies
am: c80f9e037b
Change-Id: I1a9201094a3595e2db89688f9ab952453b424b63
This commit is contained in:
Primiano Tucci
android-build-merger
commit
3ed0362a30
14 changed files with 153 additions and 2 deletions
|
|
@ -55,6 +55,14 @@
|
|||
tombstone_wifi_data_file
|
||||
traceur_app
|
||||
traceur_app_tmpfs
|
||||
traced
|
||||
traced_consumer_socket
|
||||
traced_exec
|
||||
traced_probes
|
||||
traced_probes_exec
|
||||
traced_probes_tmpfs
|
||||
traced_producer_socket
|
||||
traced_tmpfs
|
||||
update_engine_log_data_file
|
||||
vendor_init
|
||||
vold_prepare_subdirs
|
||||
|
|
|
|||
|
|
@ -71,6 +71,7 @@ full_treble_only(`
|
|||
-dumpstate
|
||||
-init
|
||||
userdebug_or_eng(`-perfprofd')
|
||||
userdebug_or_eng(`-traced_probes')
|
||||
-shell
|
||||
userdebug_or_eng(`-traceur_app')
|
||||
-vendor_init
|
||||
|
|
|
|||
|
|
@ -35,6 +35,12 @@ allow ephemeral_app drmserver_service:service_manager find;
|
|||
allow ephemeral_app radio_service:service_manager find;
|
||||
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow ephemeral_app traced:fd use;
|
||||
allow ephemeral_app traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(ephemeral_app, traced_producer, traced)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -146,6 +146,8 @@
|
|||
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
|
||||
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
|
||||
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
|
||||
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
|
||||
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
|
||||
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
|
||||
/dev/socket/vold u:object_r:vold_socket:s0
|
||||
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
|
||||
|
|
@ -240,6 +242,8 @@
|
|||
/system/bin/lmkd u:object_r:lmkd_exec:s0
|
||||
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
|
||||
/system/bin/logd u:object_r:logd_exec:s0
|
||||
/system/bin/traced u:object_r:traced_exec:s0
|
||||
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
|
||||
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
|
||||
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
|
||||
/system/bin/logwrapper u:object_r:system_file:s0
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
|
|||
# suppress denials to /data/local/tmp
|
||||
dontaudit isolated_app shell_data_file:dir search;
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow isolated_app traced:fd use;
|
||||
allow isolated_app traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(isolated_app, traced_producer, traced)
|
||||
|
||||
#####
|
||||
##### Neverallow
|
||||
#####
|
||||
|
|
|
|||
|
|
@ -116,6 +116,12 @@ allow priv_app selinuxfs:file r_file_perms;
|
|||
|
||||
read_runtime_log_tags(priv_app)
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow priv_app traced:fd use;
|
||||
allow priv_app traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(priv_app, traced_producer, traced)
|
||||
|
||||
# suppress denials when safetynet scans /system
|
||||
dontaudit priv_app exec_type:file getattr;
|
||||
dontaudit priv_app device:dir read;
|
||||
|
|
|
|||
|
|
@ -26,3 +26,13 @@ binder_call(shell, storaged)
|
|||
# Perform SELinux access checks, needed for CTS
|
||||
selinux_check_access(shell)
|
||||
selinux_check_context(shell)
|
||||
|
||||
# Control Perfetto traced and obtain traces from it.
|
||||
# Needed for Studio and debugging.
|
||||
unix_socket_connect(shell, traced_consumer, traced)
|
||||
|
||||
# Allow shell binaries to write trace data to Perfetto. Used for testing and
|
||||
# cmdline utils.
|
||||
allow shell traced:fd use;
|
||||
allow shell traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(shell, traced_producer, traced)
|
||||
|
|
|
|||
|
|
@ -30,6 +30,9 @@ binder_call(statsd, statscompanion_service)
|
|||
read_logd(statsd)
|
||||
control_logd(statsd)
|
||||
|
||||
# Allow to control Perfetto traced and consume its traces.
|
||||
unix_socket_connect(statsd, traced_consumer, traced)
|
||||
|
||||
# Grant statsd with permissions to register the services.
|
||||
allow statsd {
|
||||
statscompanion_service
|
||||
|
|
@ -71,4 +74,3 @@ neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
|
|||
|
||||
# Limited access to the directory itself.
|
||||
neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
|
||||
|
||||
|
|
|
|||
38
private/traced.te
Normal file
38
private/traced.te
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
# Perfetto user-space tracing daemon (unprivileged)
|
||||
type traced, domain, coredomain;
|
||||
type traced_exec, exec_type, file_type;
|
||||
|
||||
# Allow init to exec the daemon.
|
||||
init_daemon_domain(traced)
|
||||
|
||||
# Allow traced to start with a lower scheduling class and change
|
||||
# class accordingly to what defined in the config provided by
|
||||
# the privileged process that controls it.
|
||||
allow traced self:global_capability_class_set { sys_nice };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### traced should NEVER do any of this
|
||||
|
||||
# Disallow mapping executable memory (execstack and exec are already disallowed
|
||||
# globally in domain.te).
|
||||
neverallow traced self:process execmem;
|
||||
|
||||
# Block device access.
|
||||
neverallow traced dev_type:blk_file { read write };
|
||||
|
||||
# ptrace any other process
|
||||
neverallow traced domain:process ptrace;
|
||||
|
||||
# Disallows access to /data files, still allowing to write to file descriptors
|
||||
# passed through the socket.
|
||||
neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
|
||||
neverallow traced system_data_file:dir ~{ getattr search };
|
||||
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
|
||||
|
||||
# Only init is allowed to enter the traced domain via exec()
|
||||
neverallow { domain -init } traced:process transition;
|
||||
neverallow * traced:process dyntransition;
|
||||
55
private/traced_probes.te
Normal file
55
private/traced_probes.te
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
# Perfetto tracing probes, has tracefs access.
|
||||
type traced_probes, domain, coredomain;
|
||||
type traced_probes_exec, exec_type, file_type;
|
||||
|
||||
# Allow init to exec the daemon.
|
||||
init_daemon_domain(traced_probes)
|
||||
|
||||
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
||||
# producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow traced_probes traced:fd use;
|
||||
allow traced_probes traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(traced_probes, traced_producer, traced)
|
||||
|
||||
# Allow traced_probes to access tracefs.
|
||||
# TODO(primiano): For the moment this is userdebug/eng only until we get an
|
||||
# approval for user builds.
|
||||
userdebug_or_eng(`
|
||||
allow traced_probes debugfs_tracing:dir r_dir_perms;
|
||||
allow traced_probes debugfs_tracing:file rw_file_perms;
|
||||
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
|
||||
allow traced_probes debugfs_trace_marker:file getattr;
|
||||
')
|
||||
|
||||
# Allow traced_probes to start with a higher scheduling class and then downgrade
|
||||
# itself.
|
||||
allow traced_probes self:global_capability_class_set { sys_nice };
|
||||
|
||||
# Allow procfs access
|
||||
r_dir_file(traced_probes, domain)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### traced_probes should NEVER do any of this
|
||||
|
||||
# Disallow mapping executable memory (execstack and exec are already disallowed
|
||||
# globally in domain.te).
|
||||
neverallow traced_probes self:process execmem;
|
||||
|
||||
# Block device access.
|
||||
neverallow traced_probes dev_type:blk_file { read write };
|
||||
|
||||
# ptrace any other app
|
||||
neverallow traced_probes domain:process ptrace;
|
||||
|
||||
# Disallows access to /data files.
|
||||
neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
|
||||
neverallow traced system_data_file:dir ~{ getattr search };
|
||||
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
||||
neverallow traced { data_file_type -zoneinfo_data_file }:file *;
|
||||
|
||||
# Only init is allowed to enter the traced_probes domain via exec()
|
||||
neverallow { domain -init } traced_probes:process transition;
|
||||
neverallow * traced_probes:process dyntransition;
|
||||
|
|
@ -105,3 +105,9 @@ allow untrusted_app_all preloads_data_file:dir search;
|
|||
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
|
||||
allow untrusted_app_all vendor_app_file:file { open getattr read execute };
|
||||
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow untrusted_app_all traced:fd use;
|
||||
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(untrusted_app_all, traced_producer, traced)
|
||||
|
|
|
|||
|
|
@ -39,3 +39,9 @@ allow untrusted_v2_app app_api_service:service_manager find;
|
|||
|
||||
# gdbserver for ndk-gdb ptrace attaches to app process.
|
||||
allow untrusted_v2_app self:process ptrace;
|
||||
|
||||
# Write app-specific trace data to the Perfetto traced damon. This requires
|
||||
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
||||
allow untrusted_v2_app traced:fd use;
|
||||
allow untrusted_v2_app traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(untrusted_v2_app, traced_producer, traced)
|
||||
|
|
|
|||
|
|
@ -149,7 +149,8 @@ allow domain sysfs:lnk_file { getattr read };
|
|||
|
||||
# libc references /data/misc/zoneinfo for timezone related information
|
||||
# This directory is considered to be a VNDK-stable
|
||||
r_dir_file(domain, zoneinfo_data_file)
|
||||
allow domain zoneinfo_data_file:file r_file_perms;
|
||||
allow domain zoneinfo_data_file:dir r_dir_perms;
|
||||
|
||||
# Lots of processes access current CPU information
|
||||
r_dir_file(domain, sysfs_devices_system_cpu)
|
||||
|
|
|
|||
|
|
@ -315,6 +315,8 @@ type system_ndebug_socket, file_type, data_file_type, core_data_file_type, cored
|
|||
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
|
||||
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
||||
type traced_producer_socket, file_type, coredomain_socket;
|
||||
type traced_consumer_socket, file_type, coredomain_socket;
|
||||
type uncrypt_socket, file_type, coredomain_socket;
|
||||
type vold_socket, file_type, coredomain_socket;
|
||||
type webview_zygote_socket, file_type, coredomain_socket;
|
||||
|
|
|
|||
Loading…
Reference in a new issue