Add selinux rules for perfetto daemones

Note: this is a somewhat minimal set of rules required to be able to capture traces on Microdroid. After the trace is captured I still see a bunch of SELinux denials. We might need to add more allow rules in the follow up changes. Bug: 249050813 Test: boot Microdroid VM, capture traces with record_android_traces Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15
2023-03-03 00:43:22 +00:00 · 2023-03-03 00:43:22 +00:00 · 6069e7c8f2
commit 6069e7c8f2
parent 6ad15b7c74
8 changed files with 235 additions and 1 deletions
--- a/microdroid/system/private/atrace.te
+++ b/microdroid/system/private/atrace.te
@ -0,0 +1,11 @@
+# SELinux policy for the atrace daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/atrace.te
+# So far, this file contains a subset of rules defined for the host Android.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@ -544,7 +544,7 @@ neverallow {
  domain
 } ashmem_device:chr_file open;

-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;

 # Linux lockdown "integrity" level is enforced for user builds.
 neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@ -27,3 +27,9 @@ type encryptedstore_fs, fs_type, contextmount_type;

 # Filesystem entry for for PRNG seeder socket.
 type prng_seeder_socket, file_type, coredomain_socket;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@ -74,6 +74,8 @@
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
 /dev/socket/authfs_service u:object_r:authfs_service_socket:s0
 /dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
+/dev/socket/traced_consumer	u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_producer	u:object_r:traced_producer_socket:s0
 /dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
@ -123,6 +125,10 @@
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/kexec_load           u:object_r:kexec_exec:s0
 /system/bin/prng_seeder          u:object_r:prng_seeder_exec:s0
+/system/bin/atrace               u:object_r:atrace_exec:s0
+/system/bin/perfetto             u:object_r:perfetto_exec:s0
+/system/bin/traced               u:object_r:traced_exec:s0
+/system/bin/traced_probes        u:object_r:traced_probes_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
--- a/microdroid/system/private/perfetto.te
+++ b/microdroid/system/private/perfetto.te
@ -0,0 +1,78 @@
+# SELinux policy for the perfetto binary running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/perfetto.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, system_file_type, exec_type, file_type;
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(perfetto)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow adbd to reap perfetto.
+allow perfetto adbd:process { sigchld };
+
+###
+### Neverallow rules
+###
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+  domain
+  -init      # The creator of the folder.
+  -perfetto  # The owner of the folder.
+  -adbd      # For pulling traces.
+  -shell     # For devepment purposes.
+  -traced    # For write_into_file traces.
+  -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:dir *;
+
+neverallow {
+  domain
+  -init      # The creator of the folder.
+  -perfetto  # The owner of the folder.
+  -adbd      # For pulling traces.
+  -shell     # For devepment purposes.
+  -traced    # For write_into_file traces.
+  -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+  data_file_type
+  -perfetto_traces_data_file
+  -perfetto_configs_data_file
+  # We need following 3 lines because allow rules for them are defined at the
+  # domain/coredomain level.
+  -system_data_file
+  -system_data_root_file
+  -vendor_data_file
+}:dir *;
+
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+  data_file_type
+  -perfetto_traces_data_file
+  -perfetto_configs_data_file
+}:file ~write;
--- a/microdroid/system/private/traced.te
+++ b/microdroid/system/private/traced.te
@ -0,0 +1,69 @@
+# SELinux policy for the traced daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/traced.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type traced, domain, coredomain;
+type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
+
+# Allow init to exec traced daemon
+init_daemon_domain(traced)
+
+# Required for perfetto_produced macro
+tmpfs_domain(traced)
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
+
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced traced_probes_tmpfs:file { getattr map read write };
+
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+  data_file_type
+  -perfetto_traces_data_file
+  # We need following 3 lines because allow rules for them are defined at the
+  # domain/coredomain level.
+  -system_data_file
+  -system_data_root_file
+  -vendor_data_file
+}:dir *;
+
+neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+  data_file_type
+  -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
--- a/microdroid/system/private/traced_probes.te
+++ b/microdroid/system/private/traced_probes.te
@ -0,0 +1,62 @@
+type traced_probes, domain, coredomain;
+type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
+
+# Allow init to exec traced_probes daemon
+init_daemon_domain(traced_probes)
+
+# The traced daemon uses shared memory supplied producers. And hence
+# traced_probes daemon is a producer we need to have tmpfs_domain for it.
+tmpfs_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(traced_probes)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace)
+
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+# TODO(b/271562015): move this to domain level neverallow rule.
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+  data_file_type
+  -system_data_file
+  -system_data_root_file
+  -vendor_data_file
+}:dir *;
+
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+
+neverallow traced_probes_exec data_file_type:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
+
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@ -45,6 +45,8 @@ type vendor_data_file, file_type, data_file_type;
 type vendor_file, file_type, vendor_file_type;
 type vendor_service_contexts_file, vendor_file_type, file_type;
 type vm_payload_service_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket;

 # file system types
 type binfmt_miscfs, fs_type;