Commit graph

6 commits

Author SHA1 Message Date
Ryan Savitski
3f3e222527 perfetto profiling: fix access to ART apex files
The profilers cannot open files under
/data/misc/apexdata/com.android.art/dalvik-cache because they're not
allowed to search /data/misc/apexdata with the apex_module_data_file
label.

Example denial:
  avc: denied { search } for name="apexdata" dev="dm-37" ino=89
  scontext=u:r:traced_perf:s0
  tcontext=u:object_r:apex_module_data_file:s0 tclass=dir permissive=0

Tested: patched & flashed onto a TM device, then profiled system_server
Bug: 241544593
Change-Id: Ifd8b94a9ebcae09701e95f6cd6a14383209963db
2022-08-19 00:30:40 +01:00
Ryan Savitski
8b26472177 traced_perf: allow RO tracefs access + fix neverallow
We're adding support for counting and/or sampling on the static kernel
tracepoints in traced_perf (via perf_event_open). This requires traslating
a human-readable tracepoint name to its id for the running kernel.
For that, we need to read the "id" files like:
  /sys/kernel/tracing/events/sched/sched_switch/id

While the current implementation should only need "file r_file_perms",
as it constructs the full path to the id file, I've also added the
directory-level rule to allow for a possible change in implementation,
as we might want to enumerate all available events ahead of time, which
would require listing the tracefs events/ dir.

The changed neverallow macro was a copypaste mistake.

Example denials without the change:
  avc: denied { read } for name="id" dev="tracefs" ino=5721
  scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0
  tclass=file permissive=1

  avc: denied { open } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

  avc: denied { getattr } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

Tested: collected a profile sampled on "sched/sched_switch" on
        crosshatch-userdebug.
Bug: 170284829
Bug: 178961752
Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6
2021-01-31 16:44:00 +00:00
Orion Hodson
8f75f76fbd Permissions for odrefresh and /data/misc/apexdata/com.android.art
odrefresh is the process responsible for checking and creating ART
compilation artifacts that live in the ART APEX data
directory (/data/misc/apexdata/com.android.art).

There are two types of change here:

1) enabling odrefresh to run dex2oat and write updated boot class path
   and system server AOT artifacts into the ART APEX data directory.

2) enabling the zygote and assorted diagnostic tools to use the
   updated AOT artifacts.

odrefresh uses two file contexts: apex_art_data_file and
apex_art_staging_data_file. When odrefresh invokes dex2oat, the
generated files have the apex_art_staging_data_file label (which allows
writing). odrefresh then moves these files from the staging area to
their installation area and gives them the apex_art_data_file label.

Bug: 160683548
Test: adb root && adb shell /apex/com.android.art/bin/odrefresh
Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2021-01-13 10:38:22 +00:00
Florian Mayer
167407dc47 userdebug_or_eng: allow traced_perf to read kallsyms.
This tracing daemon interfaces with perf_events, and is used for
callstack sampling. Currently, we only handle userspace stacks. We
have the ability to collect kernel frame addresses (as unwound
by the kernel itself), but need /proc/kallsyms to symbolize them.

This patch mirrors what was done for traced_probes (ftrace event
kptr symbolization) in aosp/1455337 - the daemon can set a sysprop
that causes "init" to temporarily relax kptr_restrict, then the daemon
can open and read /proc/kallsyms. After the file is parsed, the
kptr_restrict value is restored.

To reiterate, this is confined to userdebug_or_eng due to the reasons
outlined in go/perfetto-kallsyms.

Bug: 173124818
Change-Id: I9077bbfe6fea3318f4c37947a5c455061ca43d8d
2020-11-12 20:04:40 +00:00
Ryan Savitski
008465e5ec traced_perf sepolicy tweaks
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
  I've not caught any crashes in practice, but believe there's a
  possibility that the zygote forks while holding a non-whitelisted fd
  due to the signal handler.

Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
2020-02-24 12:23:13 +00:00
Ryan Savitski
67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00