From b549e2d837f393f0bc2dea081346910ea7460381 Mon Sep 17 00:00:00 2001 From: Lalit Maganti Date: Fri, 10 Dec 2021 21:50:44 +0000 Subject: [PATCH] sepolicy: add permissions for trace reporting Bug: 205892741 Change-Id: I1b6b2ebeae99ca6a9725f24564386cea78403c6d --- private/gmscore_app.te | 6 ++++++ private/perfetto.te | 31 ++++++++++++++++++++++++++++--- private/priv_app.te | 7 +++++++ private/system_server.te | 4 ++-- private/traced.te | 10 +++++++++- 5 files changed, 52 insertions(+), 6 deletions(-) diff --git a/private/gmscore_app.te b/private/gmscore_app.te index 799d7ff00..36cccdf63 100644 --- a/private/gmscore_app.te +++ b/private/gmscore_app.te @@ -31,6 +31,12 @@ allow gmscore_app system_update_service:service_manager find; # Allow GMS core to communicate with statsd. binder_call(gmscore_app, statsd) +# Allow GMS core to receive Perfetto traces through the framework +# (i.e. TracingServiceProxy) and sendfile them into its private directory +# for reporting when network and battery conditions are appropriate. +allow gmscore_app perfetto:fd use; +allow gmscore_app perfetto_traces_data_file:file { read getattr }; + # Allow GMS core to generate unique hardware IDs allow gmscore_app keystore:keystore_key gen_unique_id; allow gmscore_app keystore:keystore2_key gen_unique_id; diff --git a/private/perfetto.te b/private/perfetto.te index 174855fe9..5897aed4a 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -22,10 +22,10 @@ perfetto_producer(perfetto) allow perfetto perfetto_traces_data_file:dir rw_dir_perms; allow perfetto perfetto_traces_data_file:file create_file_perms; -# Allow to access binder to pass the traces to Dropbox. +# Allow perfetto to access the proxy service for reporting traces. +allow perfetto tracingproxy_service:service_manager find; binder_use(perfetto) binder_call(perfetto, system_server) -allow perfetto dropbox_service:service_manager find; # Allow perfetto to read the trace config from /data/misc/perfetto-configs. # shell and adb can write files into that directory. @@ -52,6 +52,7 @@ unix_socket_send(perfetto, statsdw, statsd) allow perfetto devpts:chr_file rw_file_perms; # Allow perfetto to ask incidentd to start a report. +# TODO(lalitm): remove all incidentd rules when proxy service is stable. allow perfetto incident_service:service_manager find; binder_call(perfetto, incidentd) @@ -68,7 +69,31 @@ dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls; ### ### Neverallow rules ### -### perfetto should NEVER do any of this + +# Disallow anyone else from being able to handle traces except selected system +# components. +neverallow { + domain + -init # The creator of the folder. + -perfetto # The owner of the folder. + -adbd # For pulling traces. + -shell # For devepment purposes. + -traced # For write_into_file traces. + -dumpstate # For attaching traces to bugreports. + -incidentd # For receiving reported traces. TODO(lalitm): remove this. + -priv_app # For stating traces for bug-report UI. +} perfetto_traces_data_file:dir *; +neverallow { + domain + -init # The creator of the folder. + -perfetto # The owner of the folder. + -adbd # For pulling traces. + -shell # For devepment purposes. + -traced # For write_into_file traces. + -incidentd # For receiving reported traces. TODO(lalitm): remove this. +} perfetto_traces_data_file:file ~{ getattr read }; + +### perfetto should NEVER do any of the following # Disallow mapping executable memory (execstack and exec are already disallowed # globally in domain.te). diff --git a/private/priv_app.te b/private/priv_app.te index 909e676a5..2535222c7 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -86,6 +86,13 @@ allow priv_app perfetto_traces_bugreport_data_file:file { getattr }; # Required to traverse the parent dir (/data/misc/perfetto-traces). allow priv_app perfetto_traces_data_file:dir { search }; +# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through +# the framework (i.e. TracingServiceProxy) and sendfile them into their private +# directories for reporting when network and battery conditions are +# appropriate. +allow priv_app perfetto:fd use; +allow priv_app perfetto_traces_data_file:file { read getattr }; + # Allow verifier to access staged apks. allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; diff --git a/private/system_server.te b/private/system_server.te index 68792e8cd..ee454a682 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -524,9 +524,9 @@ allow system_server incident_data_file:file read; allow system_server prereboot_data_file:dir rw_dir_perms; allow system_server prereboot_data_file:file create_file_perms; -# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over +# Allow tracing proxy service to read traces. Only the fd is sent over # binder. -allow system_server perfetto_traces_data_file:file read; +allow system_server perfetto_traces_data_file:file { read getattr }; allow system_server perfetto:fd use; # Manage /data/backup. diff --git a/private/traced.te b/private/traced.te index fc9a2455a..a6e200e62 100644 --- a/private/traced.te +++ b/private/traced.te @@ -118,4 +118,12 @@ neverallow { domain -init } traced:process transition; neverallow * traced:process dyntransition; # Limit the processes that can access tracingproxy_service. -neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find; +neverallow { + domain + -traced + -dumpstate + -traceur_app + -shell + -system_server + -perfetto +} tracingproxy_service:service_manager find;