diff --git a/microdroid/system/private/atrace.te b/microdroid/system/private/atrace.te new file mode 100644 index 000000000..f8dd24f18 --- /dev/null +++ b/microdroid/system/private/atrace.te @@ -0,0 +1,11 @@ +# SELinux policy for the atrace daemon running inside Microdroid. +# For the host Android policy check system/sepolicy/private/atrace.te +# So far, this file contains a subset of rules defined for the host Android. + +type atrace, domain, coredomain; +type atrace_exec, exec_type, file_type, system_file_type; + +# Allow atrace to write data when a pipe is used for stdout/stderr. +# This is used by Perfetto to capture atrace stdout/stderr. +allow atrace traced_probes:fd use; +allow atrace traced_probes:fifo_file { getattr write }; diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te index 5482b014e..916eebff5 100644 --- a/microdroid/system/private/domain.te +++ b/microdroid/system/private/domain.te @@ -544,7 +544,7 @@ neverallow { domain } ashmem_device:chr_file open; -neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *; +neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *; # Linux lockdown "integrity" level is enforced for user builds. neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te index 6f037a38d..a06a9cf65 100644 --- a/microdroid/system/private/file.te +++ b/microdroid/system/private/file.te @@ -27,3 +27,9 @@ type encryptedstore_fs, fs_type, contextmount_type; # Filesystem entry for for PRNG seeder socket. type prng_seeder_socket, file_type, coredomain_socket; + +# /data/misc/perfetto-traces for perfetto traces +type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; + +# /data/misc/perfetto-configs for perfetto configs +type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts index 63221ce52..e9b0c83fd 100644 --- a/microdroid/system/private/file_contexts +++ b/microdroid/system/private/file_contexts @@ -74,6 +74,8 @@ /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0 /dev/socket/authfs_service u:object_r:authfs_service_socket:s0 /dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0 +/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 +/dev/socket/traced_producer u:object_r:traced_producer_socket:s0 /dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 /dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0 /dev/tty u:object_r:owntty_device:s0 @@ -123,6 +125,10 @@ /system/bin/mke2fs u:object_r:e2fs_exec:s0 /system/bin/kexec_load u:object_r:kexec_exec:s0 /system/bin/prng_seeder u:object_r:prng_seeder_exec:s0 +/system/bin/atrace u:object_r:atrace_exec:s0 +/system/bin/perfetto u:object_r:perfetto_exec:s0 +/system/bin/traced u:object_r:traced_exec:s0 +/system/bin/traced_probes u:object_r:traced_probes_exec:s0 /system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0 /system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0 /system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0 diff --git a/microdroid/system/private/perfetto.te b/microdroid/system/private/perfetto.te new file mode 100644 index 000000000..4efb3234e --- /dev/null +++ b/microdroid/system/private/perfetto.te @@ -0,0 +1,78 @@ +# SELinux policy for the perfetto binary running inside Microdroid. +# For the host Android policy check system/sepolicy/private/perfetto.te +# So far, this is file contains a subset of rules defined for the host Android. + +type perfetto, domain, coredomain; +type perfetto_exec, system_file_type, exec_type, file_type; + +# Allow to access traced's privileged consumer socket. +unix_socket_connect(perfetto, traced_consumer, traced) + +# Connect to the Perfetto traced daemon as a producer. This requires +# connecting to its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(perfetto) + +# Allow to write and unlink traces into /data/misc/perfetto-traces. +allow perfetto perfetto_traces_data_file:dir rw_dir_perms; +allow perfetto perfetto_traces_data_file:file create_file_perms; + +# Allow perfetto to read the trace config from /data/misc/perfetto-configs. +# shell and adb can write files into that directory. +allow perfetto perfetto_configs_data_file:dir r_dir_perms; +allow perfetto perfetto_configs_data_file:file r_file_perms; + +# Allow adbd to reap perfetto. +allow perfetto adbd:process { sigchld }; + +### +### Neverallow rules +### + +# Disallow anyone else from being able to handle traces except selected system +# components. +neverallow { + domain + -init # The creator of the folder. + -perfetto # The owner of the folder. + -adbd # For pulling traces. + -shell # For devepment purposes. + -traced # For write_into_file traces. + -vendor_init # TODO(b/249050813): remove this +} perfetto_traces_data_file:dir *; + +neverallow { + domain + -init # The creator of the folder. + -perfetto # The owner of the folder. + -adbd # For pulling traces. + -shell # For devepment purposes. + -traced # For write_into_file traces. + -vendor_init # TODO(b/249050813): remove this +} perfetto_traces_data_file:file ~{ getattr read }; + +### perfetto should NEVER do any of the following + +# Block device access. +neverallow perfetto dev_type:blk_file { read write }; + +# ptrace any other process +neverallow perfetto domain:process ptrace; + +# Disallows access to other /data files. +neverallow perfetto { + data_file_type + -perfetto_traces_data_file + -perfetto_configs_data_file + # We need following 3 lines because allow rules for them are defined at the + # domain/coredomain level. + -system_data_file + -system_data_root_file + -vendor_data_file +}:dir *; + +neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; +neverallow perfetto { + data_file_type + -perfetto_traces_data_file + -perfetto_configs_data_file +}:file ~write; diff --git a/microdroid/system/private/traced.te b/microdroid/system/private/traced.te new file mode 100644 index 000000000..1d94c157d --- /dev/null +++ b/microdroid/system/private/traced.te @@ -0,0 +1,69 @@ +# SELinux policy for the traced daemon running inside Microdroid. +# For the host Android policy check system/sepolicy/private/traced.te +# So far, this is file contains a subset of rules defined for the host Android. + +type traced, domain, coredomain; +type traced_exec, system_file_type, exec_type, file_type; +type traced_tmpfs, file_type; + +# Allow init to exec traced daemon +init_daemon_domain(traced) + +# Required for perfetto_produced macro +tmpfs_domain(traced) + +# Allow to pass a file descriptor for the output trace from "perfetto" (the +# cmdline client) and other shell binaries to traced and let traced write +# directly into that (rather than returning the trace contents over the socket). +allow traced perfetto:fd use; +allow traced shell:fd use; +allow traced shell:fifo_file { read write }; + +# Allow the service to create new files within /data/misc/perfetto-traces. +allow traced perfetto_traces_data_file:file create_file_perms; +allow traced perfetto_traces_data_file:dir rw_dir_perms; + +# Allow traced to use shared memory supplied by producers. Typically, traced +# (i.e. the tracing service) creates the shared memory used for data transfer +# from the producer. This rule allows an alternative scheme, where the producer +# creates the shared memory, that is then adopted by traced (after validating +# that it is appropriately sealed). +# This list has to replicate the tmpfs domains of all applicable domains that +# have perfetto_producer() macro applied to them. +# perfetto_tmpfs excluded as it should never need to use the producer-supplied +# shared memory scheme. +allow traced traced_probes_tmpfs:file { getattr map read write }; + + +### +### Neverallow rules +### +### traced should NEVER do any of this + +# Block device access. +neverallow traced dev_type:blk_file { read write }; + +# ptrace any other process +neverallow traced domain:process ptrace; + +# Disallows access to /data files, still allowing to write to file descriptors +# passed through the socket. +neverallow traced { + data_file_type + -perfetto_traces_data_file + # We need following 3 lines because allow rules for them are defined at the + # domain/coredomain level. + -system_data_file + -system_data_root_file + -vendor_data_file +}:dir *; + +neverallow traced system_data_file:dir ~{ getattr search }; +neverallow traced { + data_file_type + -perfetto_traces_data_file +}:file ~write; + +# Only init is allowed to enter the traced domain via exec() +neverallow { domain -init } traced:process transition; +neverallow * traced:process dyntransition; diff --git a/microdroid/system/private/traced_probes.te b/microdroid/system/private/traced_probes.te new file mode 100644 index 000000000..cfc81b576 --- /dev/null +++ b/microdroid/system/private/traced_probes.te @@ -0,0 +1,62 @@ +type traced_probes, domain, coredomain; +type traced_probes_exec, system_file_type, exec_type, file_type; +type traced_probes_tmpfs, file_type; + +# Allow init to exec traced_probes daemon +init_daemon_domain(traced_probes) + +# The traced daemon uses shared memory supplied producers. And hence +# traced_probes daemon is a producer we need to have tmpfs_domain for it. +tmpfs_domain(traced_probes) + +# Write trace data to the Perfetto traced damon. This requires connecting to its +# producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(traced_probes) + +# Allow traced_probes to access tracefs. +allow traced_probes debugfs_tracing:dir r_dir_perms; +allow traced_probes debugfs_tracing:file rw_file_perms; +allow traced_probes debugfs_trace_marker:file getattr; +allow traced_probes debugfs_tracing_printk_formats:file r_file_perms; + +# Allow to log to kernel dmesg when starting / stopping ftrace. +allow traced_probes kmsg_device:chr_file write; + +# Allow procfs access +r_dir_file(traced_probes, domain) + +# Allow traced_probes to run atrace. atrace pokes at system services to enable +# their userspace TRACE macros. +domain_auto_trans(traced_probes, atrace_exec, atrace) + +# Allow traced_probes to kill atrace on timeout. +allow traced_probes atrace:process sigkill; + +### +### Neverallow rules +### +### traced_probes should NEVER do any of this + +# Block device access. +neverallow traced_probes dev_type:blk_file { read write }; + +# ptrace any other app +# TODO(b/271562015): move this to domain level neverallow rule. +neverallow traced_probes domain:process ptrace; + +# Disallows access to /data files. +neverallow traced_probes { + data_file_type + -system_data_file + -system_data_root_file + -vendor_data_file +}:dir *; + +neverallow traced_probes system_data_file:dir ~{ getattr search }; + +neverallow traced_probes_exec data_file_type:file *; + +# Only init is allowed to enter the traced_probes domain via exec() +neverallow { domain -init } traced_probes:process transition; +neverallow * traced_probes:process dyntransition; + diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te index fe269d74b..6a698c3c4 100644 --- a/microdroid/system/public/file.te +++ b/microdroid/system/public/file.te @@ -45,6 +45,8 @@ type vendor_data_file, file_type, data_file_type; type vendor_file, file_type, vendor_file_type; type vendor_service_contexts_file, vendor_file_type, file_type; type vm_payload_service_socket, file_type, coredomain_socket; +type traced_consumer_socket, file_type, coredomain_socket; +type traced_producer_socket, file_type, coredomain_socket; # file system types type binfmt_miscfs, fs_type;