Merge "Allow system_server to attach bpf programs to tracepoints"

This commit is contained in:
Connor O'Brien 2020-02-04 21:11:47 +00:00 committed by Gerrit Code Review
commit d90d4aa2bb
3 changed files with 13 additions and 3 deletions

View file

@ -18,7 +18,7 @@ allow bpfloader self:global_capability_class_set sys_admin;
### Neverallow rules ### Neverallow rules
### ###
neverallow { domain -bpfloader } *:bpf { map_create prog_load }; neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run; neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps # only system_server, netd and bpfloader can read/write the bpf maps

View file

@ -132,6 +132,7 @@ full_treble_only(`
-init -init
-traced_probes -traced_probes
-shell -shell
-system_server
-traceur_app -traceur_app
} debugfs_tracing:file no_rw_file_perms; } debugfs_tracing:file no_rw_file_perms;

View file

@ -896,6 +896,9 @@ allow system_server debugfs_tracing_instances:dir search;
allow system_server debugfs_wifi_tracing:dir search; allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms; allow system_server debugfs_wifi_tracing:file rw_file_perms;
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper. # asanwrapper.
with_asan(` with_asan(`
@ -905,10 +908,11 @@ with_asan(`
') ')
# allow system_server to read the eBPF maps that stores the traffic stats information and update # allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded # the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
allow system_server fs_bpf:dir search; allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write }; allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write }; allow system_server bpfloader:bpf { map_read map_write prog_run };
# ART Profiles. # ART Profiles.
# Allow system_server to open profile snapshots for read. # Allow system_server to open profile snapshots for read.
@ -1122,3 +1126,8 @@ neverallow { domain -init -system_server } password_slot_metadata_file:notdevfil
set_prop(system_server, binder_cache_system_server_prop) set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init } neverallow { domain -system_server -init }
binder_cache_system_server_prop:property_service set; binder_cache_system_server_prop:property_service set;
# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
# system_server cannot use this access to read perf event data like process stacks.
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };