Commit graph

23 commits

Author SHA1 Message Date
Carmen Jackson
a60d7f28f2 Ensure that only desired processes can access TracingServiceProxy
This change adds a neverallow rule in traced.te to limit the processes
that can find tracingproxy_service, the context for TracingServiceProxy.

I wanted to avoid moving the tracingproxy_service definition to public,
so there were a few services that are exempted from this neverallow
rule.

Bug: 191391382
Test: Manually verified that with this change, along with the other
change in this topic, I see no errors when taking a bugreport while a
Traceur trace is running.

Change-Id: I8658df0db92ae9cf4fefe2eebb4d6d9a5349ea89
2021-06-24 08:24:20 +00:00
Jeff Vander Stoep
16ebb161eb traced: move traced_tmpfs to public policy
Allow the perfetto_producer macro to be used in device-specific
policy.

Bug: 185379881
Test: TH
Change-Id: I6932ff91a3ed095b5edce4076bdfd8607e925c6e
2021-04-14 22:18:41 +02:00
Collin Fijalkovich
6f4cfe8709 Configure sepolicy for TracingServiceProxy
Configures sepolicy to allow for the new TracingServiceProxy system
services, and to allow Perfetto to access the service.

Bug: 175591887
Test: Validated the service started successfullyy, and invoked via CLI
Change-Id: Idb6438948a9d96063f8455544b97ef66267cde23
2021-02-05 11:04:11 -08:00
Primiano Tucci
9dd873d725 Merge "Allow dumpstate to snapshot traces and attach them to bug reports" 2021-01-14 18:59:40 +00:00
Primiano Tucci
2f99809c43 Allow dumpstate to snapshot traces and attach them to bug reports
Feature description: if a background trace is happening at the
time dumpstate is invoked, the tracing daemon will snapshot
the trace into a fixed path (/data/misc/perfetto-traces/bugreport/).
Dumpstate will attach the trace, if present, to the bugreport.
From a SELinux viewpoint this involves the following permissions:
- Allow dumpstate to exec+trans perfetto --save-for-bugreport
  (this will just send an IPC to traced, which will save the trace).
- Allow dumpstate to list, read and unlink the trace file.
- Create a dedicated label for bugreport traces, to prevent that
  dumpstate gets access to other traces not meant for bug reporting.

Note that this does NOT allow dumpstate to serialze arbitary traces.
Traces must be marked as "eligible for bugreport" upfront in the
trace config (which is not under dumpstate control), by
setting bugreport_score > 0.

Design doc: go/perfetto-betterbug

Bug: 170334305
Test: manual:
      1. start a perfetto trace with bugreport_score > 0
      2. adb shell dumpstate
      3. check that the bugreport zip contains the trace

Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-12 14:06:24 +00:00
Lalit Maganti
9165bf73dc sepolicy: allow traced to access statsd socket
This allows us to log metrics from traced to statsd
for failures. This is required for implementation of
go/perfetto-failure-stats.

This matches the CL aosp/1512303 which adds the initial logging to
traced.

This solves the following denied message from logcat:
avc: denied { write } for name="statsdw" scontext=u:r:traced:s0
tcontext=u:object_r:statsdw_socket:s0

Bug: 177215620
Change-Id: I4cc613c3a8f4d75c4a5c232b996f8a6cffd3ba9d
2021-01-11 14:36:11 +00:00
Primiano Tucci
386d95b15f Allow traced to create files within /data/misc/perfetto-traces
Together with aosp/1282157 this change allows the service to
create trace files in the /data/misc/perfetto-traces folder.
Before this change they needed to be created by the perfetto
cmdline client and pass the FD.
This doesn't work for host tools like Android GPU Inspector
(https://gpuinspector.dev/) which talk to the UNIX socket
over adb forward and cannot pass a FD from the host.

Bug: 153519149
Test: manual: adb shell perfetto --txt -c -
  buffers { size_kb: 65536 }
  data_sources {
    config {
      name: "linux.ftrace"
      ftrace_config { ftrace_events: "sched_switch" }
    }
  }
  duration_ms: 5000
  write_into_file: true
  output_path: "/data/misc/perfetto-traces/ttt"

Change-Id: I184329805741654983843e6a29c1fac19a836f59
2020-04-08 19:44:53 +00:00
Ryan Savitski
21f6ae6a8a perfetto: allow producers to supply shared memory
This concerns the data transfer between an untrusted producer process,
and the tracing service (traced daemon). They communicate over a
combination of a unix socket and shared memory.

Normally, the service creates the shared memory region, and hands it off
to the producer process (see perfetto_producer() macro). This patch
allows for an alternative scheme, where the producer process is allowed
to create the shared memory region, which will then be adopted by the
tracing service. The service already inherently doesn't trust the
producer, so it'll validate that the shared memory is appropriately
sealed before using it.

The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But
this mode has advantages (e.g. being able to write to the shared memory
before connecting) for other producer domains as well.

Bug: 148841422
Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 13:47:42 +00:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00
Paul Crowley
d98e311952 Revert "Root of /data belongs to init"
This reverts commit 206b6535f1.

Reason for revert: Droidfood is blocked
Bug: 140402208
Change-Id: I1d1eb014747ba5c5bb656342e53b8c4e434878d1
2019-09-06 19:59:17 +00:00
Paul Crowley
206b6535f1 Root of /data belongs to init
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
2019-08-29 15:08:21 -07:00
Pirama Arumuga Nainar
ce9c0c5a5f In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 08:31:51 -07:00
Florian Mayer
a769f0fd43 Allow traced to lazily start heapprofd.
Bug: 126724929

Change-Id: I15f0ae10d5e45fc65850635230e377b6f77ad4d7
2019-03-14 20:42:29 +00:00
Primiano Tucci
8da4e4fb7c Allow traced to notify traceur via property
This CL introduces allows traced to set the
sys.traceur.trace_end_signal property at the end
of the tracer. In turn that property notifies the
the Traceur app.
This is to allowing Traceur to be killed during
a long-trace and avoid wasting resources making
it a persistent service.
See aosp/886616 for the matching traceur change.

Test: manual
Bug: 116754732
Change-Id: I89e2f02b3f973813ce8ff3507d397a06502f84c1
2019-02-06 08:47:04 +00:00
Isabelle Taylor
19f4998480 Fix perfetto CTS test
The test was failing because of a selinux denial.
This adds the required rule.

Test: atest (previously failing CTS test passed)
Change-Id: Ieb99f9ab4c6014a3d0aa1fe6c6fb6b82fa9b7631
2019-01-28 10:18:16 +00:00
Jeff Vander Stoep
41a2abfc0d Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)
2019-01-26 17:30:41 +00:00
Primiano Tucci
79d1dbbc05 Allow iorapd to access perfetto
This requires moving the type declaration of
perfetto traced to public, because iorapd
needs to refer to it.

Denials without this CL:
https://pastebin.com/raw/sxHMeLEU

Bug: 72170747
Test: 1. runcon u:r:iorapd:s0 iorap.cmd.perfetto \
          -v --output-proto /data/misc/iorapd/test
      2. Check that no selinux denials other than
         avc: denied { entrypoint } for path="/system/bin/iorap.cmd.perfetto" dev="sda6" ino=21 scontext=u:r:iorapd:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
         show up (this is a side-effect of runcon).

Change-Id: Iacd1ab201fe9fb2a6302dbd528f42f709cbca054
2019-01-23 22:43:47 +00:00
Carmen Jackson
9678e079ac Add selinux rules for detachable perfetto process.
This appears to be the minimum change required to accommodate Traceur
running the detachable Perfetto process.

Bug: 116754732
Test: Started a perfetto trace using --detach and it started
successfully.

Change-Id: I12881ae343389abdcc74af5f11ecbac99b03ef7c
2019-01-10 12:18:24 -08:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Primiano Tucci
5d31732612 perfetto: allow traced to write into FDs received by the client
This allows an optimization that consists in the "perfetto" cmdline
client passing directly the file descriptor for the output trace
to traced (as opposite to having traced streaming back the trace
data to "perfetto" and having that one doing the write() into file).
This reduces sensibly the memory traffic and CPU overhead of traces
with a minor change.

Bug: 73625179
Test: builds + perfetto_integrationtests w/ long_trace.cfg
Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
2018-03-26 01:01:31 +00:00
Primiano Tucci
5ef6669b04 perfetto: Make producer socket MLS-aware
The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases
2018-02-21 14:37:58 +00:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00