From 8b2647217700d7cd3645270f078c2384f91f135b Mon Sep 17 00:00:00 2001 From: Ryan Savitski Date: Sun, 31 Jan 2021 14:53:33 +0000 Subject: [PATCH] traced_perf: allow RO tracefs access + fix neverallow We're adding support for counting and/or sampling on the static kernel tracepoints in traced_perf (via perf_event_open). This requires traslating a human-readable tracepoint name to its id for the running kernel. For that, we need to read the "id" files like: /sys/kernel/tracing/events/sched/sched_switch/id While the current implementation should only need "file r_file_perms", as it constructs the full path to the id file, I've also added the directory-level rule to allow for a possible change in implementation, as we might want to enumerate all available events ahead of time, which would require listing the tracefs events/ dir. The changed neverallow macro was a copypaste mistake. Example denials without the change: avc: denied { read } for name="id" dev="tracefs" ino=5721 scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs" ino=5721 scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1 avc: denied { getattr } for path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs" ino=5721 scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1 Tested: collected a profile sampled on "sched/sched_switch" on crosshatch-userdebug. Bug: 170284829 Bug: 178961752 Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6 --- private/coredomain.te | 1 + private/traced_perf.te | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/private/coredomain.te b/private/coredomain.te index 4209ac7ab..de9b95382 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -164,6 +164,7 @@ full_treble_only(` -dumpstate -gpuservice -init + -traced_perf -traced_probes -shell -system_server diff --git a/private/traced_perf.te b/private/traced_perf.te index e5760f0e3..96a7263f7 100644 --- a/private/traced_perf.te +++ b/private/traced_perf.te @@ -38,6 +38,14 @@ r_dir_file(traced_perf, vendor_file_type) userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)') allow traced_perf proc_kallsyms:file r_file_perms; +# Allow reading tracefs files to get the format and numeric ids of tracepoints. +allow traced_perf debugfs_tracing:dir r_dir_perms; +allow traced_perf debugfs_tracing:file r_file_perms; +userdebug_or_eng(` + allow traced_perf debugfs_tracing_debug:dir r_dir_perms; + allow traced_perf debugfs_tracing_debug:file r_file_perms; +') + # Do not audit the cases where traced_perf attempts to access /proc/[pid] for # domains that it cannot read. dontaudit traced_perf domain:dir { search getattr open }; @@ -51,7 +59,7 @@ dontaudit traced_perf domain:process signal; neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *; # Never allow profiling highly privileged processes. -never_profile_heap(`{ +never_profile_perf(`{ bpfloader init kernel