This is needed to be able to scan the labels we have
permission on.
Denial:
04-06 12:52:22.674 874 874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0
Bug: 73625480
cherry-picked from aosp/658243
Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1
Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1
See also go/perfetto-io-tracing-security.
* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.
Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad
This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.
This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.
Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: Iba195d571aec9579195d79d4970f760e417608c6
Bug: b/73340039
This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.
Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d
Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
1) trace_pipe_raw file to allow perfetto to read the raw
ftrace buffer (rather than the text-based /trace endpoint)
2) cpuX/stats and cpuX/buffer_size_kb that allow to
tune the buffer size per-cpu pipe and to get basic
statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
/enable files. This gives also access to the /format files
for the events that are already enabled on user builds.
/format files simply describe the memory layout
of the binary logs. Example: https://ghostbin.com/paste/f8m4k
This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.
Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).
1) traced: unprivileged daemon. This is architecturally similar to logd.
It exposes two UNIX sockets:
- /dev/socket/traced_producer : world-accessible, allows to stream
tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
from traced to each client process, which needs to be able to
mmap it R/W (but not X)
- /dev/socket/traced_consumer : privilege-accessible (only from:
shell, statsd). It allows to configure tracing and read the trace
buffer.
2) traced_probes: privileged daemon. This needs to:
- access tracingfs (/d/tracing) to turn tracing on and off.
- exec atrace
- connect to traced_producer to stream data to traced.
init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc
Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
