Perfetto SELinux policies

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
This commit is contained in:
Primiano Tucci 2017-12-21 03:51:15 +01:00
parent 31b11d8ef8
commit c80f9e037b
14 changed files with 153 additions and 2 deletions

View file

@ -55,6 +55,14 @@
tombstone_wifi_data_file
traceur_app
traceur_app_tmpfs
traced
traced_consumer_socket
traced_exec
traced_probes
traced_probes_exec
traced_probes_tmpfs
traced_producer_socket
traced_tmpfs
update_engine_log_data_file
vendor_init
vold_prepare_subdirs

View file

@ -71,6 +71,7 @@ full_treble_only(`
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
-vendor_init

View file

@ -35,6 +35,12 @@ allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow ephemeral_app traced:fd use;
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
###
### neverallow rules
###

View file

@ -146,6 +146,8 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
@ -240,6 +242,8 @@
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0

View file

@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
allow isolated_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(isolated_app, traced_producer, traced)
#####
##### Neverallow
#####

View file

@ -116,6 +116,12 @@ allow priv_app selinuxfs:file r_file_perms;
read_runtime_log_tags(priv_app)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow priv_app traced:fd use;
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
# suppress denials when safetynet scans /system
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;

View file

@ -26,3 +26,13 @@ binder_call(shell, storaged)
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
# Control Perfetto traced and obtain traces from it.
# Needed for Studio and debugging.
unix_socket_connect(shell, traced_consumer, traced)
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
allow shell traced:fd use;
allow shell traced_tmpfs:file { read write getattr map };
unix_socket_connect(shell, traced_producer, traced)

View file

@ -30,6 +30,9 @@ binder_call(statsd, statscompanion_service)
read_logd(statsd)
control_logd(statsd)
# Allow to control Perfetto traced and consume its traces.
unix_socket_connect(statsd, traced_consumer, traced)
# Grant statsd with permissions to register the services.
allow statsd {
statscompanion_service
@ -71,4 +74,3 @@ neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
# Limited access to the directory itself.
neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;

38
private/traced.te Normal file
View file

@ -0,0 +1,38 @@
# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain;
type traced_exec, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };
###
### Neverallow rules
###
### traced should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;
# Block device access.
neverallow traced dev_type:blk_file { read write };
# ptrace any other process
neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;

55
private/traced_probes.te Normal file
View file

@ -0,0 +1,55 @@
# Perfetto tracing probes, has tracefs access.
type traced_probes, domain, coredomain;
type traced_probes_exec, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
allow traced_probes traced:fd use;
allow traced_probes traced_tmpfs:file { read write getattr map };
unix_socket_connect(traced_probes, traced_producer, traced)
# Allow traced_probes to access tracefs.
# TODO(primiano): For the moment this is userdebug/eng only until we get an
# approval for user builds.
userdebug_or_eng(`
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
')
# Allow traced_probes to start with a higher scheduling class and then downgrade
# itself.
allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access
r_dir_file(traced_probes, domain)
###
### Neverallow rules
###
### traced_probes should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced_probes self:process execmem;
# Block device access.
neverallow traced_probes dev_type:blk_file { read write };
# ptrace any other app
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;

View file

@ -105,3 +105,9 @@ allow untrusted_app_all preloads_data_file:dir search;
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
allow untrusted_app_all vendor_app_file:file { open getattr read execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow untrusted_app_all traced:fd use;
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)

View file

@ -39,3 +39,9 @@ allow untrusted_v2_app app_api_service:service_manager find;
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_v2_app self:process ptrace;
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow untrusted_v2_app traced:fd use;
allow untrusted_v2_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_v2_app, traced_producer, traced)

View file

@ -149,7 +149,8 @@ allow domain sysfs:lnk_file { getattr read };
# libc references /data/misc/zoneinfo for timezone related information
# This directory is considered to be a VNDK-stable
r_dir_file(domain, zoneinfo_data_file)
allow domain zoneinfo_data_file:file r_file_perms;
allow domain zoneinfo_data_file:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)

View file

@ -315,6 +315,8 @@ type system_ndebug_socket, file_type, data_file_type, core_data_file_type, cored
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type traced_producer_socket, file_type, coredomain_socket;
type traced_consumer_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;