perf_event: rules for system and simpleperf domain
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
This commit is contained in:
Ryan Savitski
parent
edc513c8c1
commit
ffa0dd93f3
10 changed files with 81 additions and 11 deletions
|
|
@ -56,6 +56,7 @@
|
|||
ota_prop
|
||||
art_apex_dir
|
||||
service_manager_service
|
||||
simpleperf
|
||||
soundtrigger_middleware_service
|
||||
sysfs_dm_verity
|
||||
system_group_file
|
||||
|
|
|
|||
|
|
@ -338,6 +338,7 @@
|
|||
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
|
||||
/system/bin/apexd u:object_r:apexd_exec:s0
|
||||
/system/bin/gsid u:object_r:gsid_exec:s0
|
||||
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
|
||||
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
|
||||
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
|
||||
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
|
||||
|
|
|
|||
|
|
@ -16,3 +16,17 @@ r_dir_file(runas_app, untrusted_app_all)
|
|||
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
|
||||
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
|
||||
allow runas_app untrusted_app_all:unix_stream_socket connectto;
|
||||
|
||||
# Allow executing system image simpleperf without a domain transition.
|
||||
allow runas_app simpleperf_exec:file rx_file_perms;
|
||||
|
||||
# Suppress denial logspam when simpleperf is trying to find a matching process
|
||||
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
|
||||
# the same domain as their respective process, most of which this domain is not
|
||||
# allowed to see.
|
||||
dontaudit runas_app domain:dir search;
|
||||
|
||||
# Allow runas_app to call perf_event_open for profiling debuggable app
|
||||
# processes, but not the whole system.
|
||||
allow runas_app self:perf_event { open read write kernel };
|
||||
neverallow runas_app self:perf_event ~{ open read write kernel };
|
||||
|
|
|
|||
|
|
@ -83,3 +83,11 @@ allowxperm shell shell_data_file:dir ioctl {
|
|||
FS_IOC_GET_ENCRYPTION_POLICY
|
||||
FS_IOC_GET_ENCRYPTION_POLICY_EX
|
||||
};
|
||||
|
||||
# Allow shell to execute simpleperf without a domain transition.
|
||||
allow shell simpleperf_exec:file rx_file_perms;
|
||||
|
||||
# Allow shell to call perf_event_open for profiling other shell processes, but
|
||||
# not the whole system.
|
||||
allow shell self:perf_event { open read write kernel };
|
||||
neverallow shell self:perf_event ~{ open read write kernel };
|
||||
|
|
|
|||
37
private/simpleperf.te
Normal file
37
private/simpleperf.te
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
# Domain used when running /system/bin/simpleperf to profile a specific app.
|
||||
# Entered either by the app itself exec-ing the binary, or through
|
||||
# simpleperf_app_runner (with shell as its origin). Certain other domains
|
||||
# (runas_app, shell) can also exec this binary without a domain transition.
|
||||
typeattribute simpleperf coredomain;
|
||||
type simpleperf_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
|
||||
|
||||
# When running in this domain, simpleperf is scoped to profiling an individual
|
||||
# app. The necessary MAC permissions for profiling are more maintainable and
|
||||
# consistent if simpleperf is marked as an app domain as well (as, for example,
|
||||
# it will then see the same set of system libraries as the app).
|
||||
app_domain(simpleperf)
|
||||
untrusted_app_domain(simpleperf)
|
||||
|
||||
# Allow ptrace attach to the target app, for reading JIT debug info (using
|
||||
# process_vm_readv) during unwinding and symbolization.
|
||||
allow simpleperf untrusted_app_all:process ptrace;
|
||||
|
||||
# Allow using perf_event_open syscall for profiling the target app.
|
||||
allow simpleperf self:perf_event { open read write kernel };
|
||||
|
||||
# Allow /proc/<pid> access for the target app (for example, when trying to
|
||||
# discover it by cmdline).
|
||||
r_dir_file(simpleperf, untrusted_app_all)
|
||||
|
||||
# Suppress denial logspam when simpleperf is trying to find a matching process
|
||||
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
|
||||
# the same domain as their respective processes, most of which this domain is
|
||||
# not allowed to see.
|
||||
dontaudit simpleperf domain:dir search;
|
||||
|
||||
# Neverallows:
|
||||
|
||||
# Profiling must be confined to the scope of an individual app.
|
||||
neverallow simpleperf self:perf_event ~{ open read write kernel };
|
||||
|
|
@ -168,3 +168,8 @@ userdebug_or_eng(`
|
|||
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||
')
|
||||
|
||||
# Allow signalling simpleperf domain, which is the domain that the simpleperf
|
||||
# profiler runs as when executed by the app. The signals are used to control
|
||||
# the profiler (which would be profiling the app that is sending the signal).
|
||||
allow untrusted_app_all simpleperf:process signal;
|
||||
|
|
|
|||
|
|
@ -1173,10 +1173,11 @@ neverallow {
|
|||
-zygote
|
||||
} shell:process { transition dyntransition };
|
||||
|
||||
# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
|
||||
# attribute.
|
||||
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
|
||||
# the appdomain attribute. simpleperf is excluded as a domain transitioned to
|
||||
# when running an app-scoped profiling session.
|
||||
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
|
||||
appdomain -shell userdebug_or_eng(`-su')
|
||||
appdomain -shell -simpleperf userdebug_or_eng(`-su')
|
||||
}:process { transition dyntransition };
|
||||
|
||||
# Minimize read access to shell- or app-writable symlinks.
|
||||
|
|
|
|||
1
public/simpleperf.te
Normal file
1
public/simpleperf.te
Normal file
|
|
@ -0,0 +1 @@
|
|||
type simpleperf, domain;
|
||||
|
|
@ -52,6 +52,7 @@ userdebug_or_eng(`
|
|||
dontaudit su postinstall_file:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
dontaudit su unlabeled:vsock_socket *;
|
||||
dontaudit su self:perf_event *;
|
||||
|
||||
# VTS tests run in the permissive su domain on debug builds, but the HALs
|
||||
# being tested run in enforcing mode. Because hal_foo_server is enforcing
|
||||
|
|
|
|||
|
|
@ -171,16 +171,17 @@ typeattribute $1 appdomain;
|
|||
# Label tmpfs objects for all apps.
|
||||
type_transition $1 tmpfs:file appdomain_tmpfs;
|
||||
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
||||
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
|
||||
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
|
||||
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
|
||||
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
|
||||
# The Android security model guarantees the confidentiality and integrity
|
||||
# of application data and execution state. Ptrace bypasses those
|
||||
# confidentiality guarantees. Disallow ptrace access from system components
|
||||
# to apps. Crash_dump is excluded, as it needs ptrace access to
|
||||
# produce stack traces. llkd is excluded, as it needs to inspect
|
||||
# the kernel stack for live lock conditions. runas_app is excluded, as it can
|
||||
# only access debuggable apps.
|
||||
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
|
||||
# confidentiality guarantees. Disallow ptrace access from system components to
|
||||
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
|
||||
# traces. runas_app is excluded, as it operates only on debuggable apps.
|
||||
# simpleperf is excluded, as it operates only on debuggable or profileable
|
||||
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
|
||||
# live lock conditions.
|
||||
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
|
||||
')
|
||||
|
||||
#####################################
|
||||
|
|
|
|||
Loading…
Reference in a new issue