Commit graph

26 commits

Author SHA1 Message Date
Ryan Savitski
21f6ae6a8a perfetto: allow producers to supply shared memory
This concerns the data transfer between an untrusted producer process,
and the tracing service (traced daemon). They communicate over a
combination of a unix socket and shared memory.

Normally, the service creates the shared memory region, and hands it off
to the producer process (see perfetto_producer() macro). This patch
allows for an alternative scheme, where the producer process is allowed
to create the shared memory region, which will then be adopted by the
tracing service. The service already inherently doesn't trust the
producer, so it'll validate that the shared memory is appropriately
sealed before using it.

The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But
this mode has advantages (e.g. being able to write to the shared memory
before connecting) for other producer domains as well.

Bug: 148841422
Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 13:47:42 +00:00
Florian Mayer
5e52281372 Allow Java domains to be Perfetto producers.
This is needed to get Java heap graphs.

Test: flash aosp; profile system_server with setenforce 1

Bug: 136210868

Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-10 10:40:26 +01:00
Paul Crowley
aed0f76ee9 Root of /data belongs to init (re-landing)
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

This change originally landed as aosp/1106014 and was reverted in
aosp/1116238 to fix b/140402208. aosp/1116298 fixes the underlying
problem, and with that we can re-land this change.

Bug: 139190159
Bug: 140402208
Test: aosp boots, logs look good
Change-Id: I1a366c577a0fff307ca366a6844231bcf8afe3bf
2019-09-09 14:42:01 -07:00
Paul Crowley
d98e311952 Revert "Root of /data belongs to init"
This reverts commit 206b6535f1.

Reason for revert: Droidfood is blocked
Bug: 140402208
Change-Id: I1d1eb014747ba5c5bb656342e53b8c4e434878d1
2019-09-06 19:59:17 +00:00
Paul Crowley
206b6535f1 Root of /data belongs to init
Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.

Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
2019-08-29 15:08:21 -07:00
Pirama Arumuga Nainar
ce9c0c5a5f In native coverage builds, allow all domains to access /data/misc/trace
Bug: http://b/135139675

Coverage files are written to /data/misc/trace (governed by the
method_trace_data_file selinux type).  Allow all domains to access
(create directories, access files) this directory when native coverage
is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng
build.

Also relax neverallow constraints to allow access to
method_trace_data_file for native coverage builds.

Test: Build 32-bit cuttlefish with coverage:
          m NATIVE_COVERAGE=true COVERAGE_PATHS="*"
      and verify that there are no selinux denials in kernel log and
      logcat.

Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 08:31:51 -07:00
Isabelle Taylor
e8c4ba8137 Allow traced_probes access to atrace HAL
03-26 10:34:53.532   585   585 E SELinux : avc:  denied  { find } for interface=android.hardware.atrace::IAtraceDevice sid=u:r:traced_probes:s0 pid=917 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hal_atrace_hwservice:s0 tclass=hwservice_manager permissive=0

Bug: 127378737
Test: manually
Change-Id: Icfeee8e8d62c9e11072d4f8cc1d04f256b9636c5
2019-04-04 16:31:50 +00:00
Florian Mayer
d04ffff3ea Allow traced_probes to read packages.list.
Bug:123186697

Change-Id: Ifa480ae42f00740a39b8126e8fa6fd2120ac9b61
2019-04-02 17:18:35 +01:00
Ben Murdoch
f948ea58c7 Allow traced_probes to access power rail data.
Allows power rail data to be logged in the trace, allowing
high fidelity attribution of battery power use.

Matching feature CL: aosp/891533

SELinux denials that lead to this:
avc: denied { call } for scontext=u:r:traced_probes:s0 tcontext=u:r:hal_power_stats_default:s0 tclass=binder

Test: checked data in a trace
Bug: 122584217

Change-Id: I7e0f4e825be3f54bc78d91da1cb85c2f61465a44
2019-03-13 17:11:31 +00:00
Primiano Tucci
a64d5bb7ef Allow perfetto to ingest logs on userdebug/eng
When recording hour-long traces, logcat messages help
to interpret the trace, giving human readable context on what
is happening on the system.
Furthermore this is particularly helpful for startup
debugging thanks to activity manager instrumentation events
(am_on_create_called, am_on_start, ...).
This is only allowed on userdebug/eng builds.

Bug: 122243384
Change-Id: I4dfaebf21107e9853b0bf42403fbab6c3b4d5141
2019-01-10 20:14:06 +00:00
Hector Dearman
4802cbd955 traced_probes: Read tracefs directories in userdebug
Allow traced_probes to read /sys/kernel/debug/tracing
directories in userdebug mode. We read the directory when enabling
events with the wild card syntax: "oom/*" which attmpts to read the
directory /sys/kernel/debug/tracing/events/oom to work out what oom
events exist.

Denial:
  avc: denied { read } for name="oom" dev="tracefs" ino=11353
  scontext=u:r:traced_probes:s0
  tcontext=u:object_r:debugfs_tracing_debug:s0 tclass=dir
  permissive=0

Bug: 119662403
Test: perfetto -t 10s 'oom/*' -o /data/misc/perfetto-traces/trace
Change-Id: I2cb171c3c5292d2eb55e71376f965b924a563572
2018-12-07 13:42:09 +00:00
Primiano Tucci
353b93a90c Allow traced_probes to access battery coulomb counters
Allows battery counters to be logged in the trace. This
is to allow high fidelity attribution of battery power.

Matching feature CL: aosp/838951

SELinux denials that lead to this:
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 duplicate messages suppressed
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { getattr } for comm="hwservicemanage" scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=process permissive=1


Bug: 113076327
Change-Id: I4aabd0d70025105320c4a8d34470098807d56899
2018-12-03 13:32:48 +00:00
Lalit Maganti
d6ae1a5e42 sepolicy: add rules for traced_probes to capture stderr and kill atrace on timeout
This CL adds rules to allow traced_probes to dup a pipe as the stderr
for atrace and also send a sigkill to atrace after a timeout.

This fixes b/119656920

Change-Id: Ie66aaba47c11ef7c733b442f35fee042b7c546fb
2018-11-16 14:47:19 +00:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Primiano Tucci
51dc7cb1d4 Allow perfetto traced_probes to poll /proc/{meminfo,stat,vmstat,...}
This allows the trace producer daemon to snapshot counters at
high frequency in the trace. As usual for Perfetto, this data is
NOT made available to arbitrary apps but only to an extremely
limited subset of processes governed by selinux rules (currently
shell and statsd).

Bug: 115956288
Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d
2018-09-19 11:29:17 +00:00
Benjamin Gordon
7ed266c678 sepolicy: Fix references to self:capability
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
2018-08-21 15:55:23 +00:00
Florian Mayer
ff146962b2 Grant traced_probes search on directories.
This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480
2018-04-06 12:51:41 +00:00
Florian Mayer
9fcf22bb81 SELinux changes for I/O tracing.
See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
2018-03-30 00:32:34 +00:00
Primiano Tucci
feaf22b130 Reland: perfetto: allow traced_probes to execute atrace
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039
2018-03-22 01:51:39 +00:00
Primiano Tucci
70f8f3297d Revert "perfetto: allow traced_probes to execute atrace"
This reverts commit 54a86e2b5c.

Reason for revert: Broke user builds, see go/twqpd

system/sepolicy/private/traced_probes.te:46:ERROR 'unknown type atrace' at token ';' on line 34879:
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
allow atrace traced_probes:fd use;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

Change-Id: I24440e1928700530b63b70b658c63046cdcdc5de
2018-03-07 15:51:49 +00:00
Primiano Tucci
54a86e2b5c perfetto: allow traced_probes to execute atrace
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

Change-Id: I2b0a66dcb519cb296e1d0e6e3f15a425dc809089
Bug: 73340039
2018-03-02 19:27:06 +00:00
Florian Mayer
ef6358bb77 Allow traced_probes to list the system partition
Relevant denies:

[    2.560660] type=1400 audit(1519404055.529:9): avc: denied { read }
for pid=896 comm=traced_probes name=system dev=sda22 ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Allowing only read then gives:
[    2.554718] type=1400 audit(1519404863.506:9): avc: denied { open }
for pid=890 comm="traced_probes" path="/system" dev="sda22" ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Test: flashed and ran directory listing code.
Bug: 73625480
2018-02-23 17:35:42 +00:00
Primiano Tucci
d807d58825 selinux: allow Perfetto traced_probes to write into kmesg
This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.

Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
2018-02-16 16:38:29 +00:00
Primiano Tucci
b4b31f9d72 Allow perfetto traced_probes to access tracefs on user
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
2018-02-13 15:54:11 +00:00
Jeff Vander Stoep
d25ccabd24 label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 17:21:25 +00:00
Primiano Tucci
c80f9e037b Perfetto SELinux policies
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2018-01-10 00:18:46 +00:00