2f99809c43
Feature description: if a background trace is happening at the
time dumpstate is invoked, the tracing daemon will snapshot
the trace into a fixed path (/data/misc/perfetto-traces/bugreport/).
Dumpstate will attach the trace, if present, to the bugreport.
From a SELinux viewpoint this involves the following permissions:
- Allow dumpstate to exec+trans perfetto --save-for-bugreport
(this will just send an IPC to traced, which will save the trace).
- Allow dumpstate to list, read and unlink the trace file.
- Create a dedicated label for bugreport traces, to prevent that
dumpstate gets access to other traces not meant for bug reporting.
Note that this does NOT allow dumpstate to serialze arbitary traces.
Traces must be marked as "eligible for bugreport" upfront in the
trace config (which is not under dumpstate control), by
setting bugreport_score > 0.
Design doc: go/perfetto-betterbug
Bug: 170334305
Test: manual:
1. start a perfetto trace with bugreport_score > 0
2. adb shell dumpstate
3. check that the bugreport zip contains the trace
Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
111 lines
4.2 KiB
Text
111 lines
4.2 KiB
Text
# Perfetto user-space tracing daemon (unprivileged)
|
|
|
|
# type traced is defined under /public (because iorapd rules
|
|
# under public/ need to refer to it).
|
|
type traced_exec, system_file_type, exec_type, file_type;
|
|
type traced_tmpfs, file_type;
|
|
|
|
# Allow init to exec the daemon.
|
|
init_daemon_domain(traced)
|
|
tmpfs_domain(traced)
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
|
# share memory buffers created by traced.
|
|
typeattribute traced_tmpfs mlstrustedobject;
|
|
|
|
# Allow traced to start with a lower scheduling class and change
|
|
# class accordingly to what defined in the config provided by
|
|
# the privileged process that controls it.
|
|
allow traced self:global_capability_class_set { sys_nice };
|
|
|
|
# Allow to pass a file descriptor for the output trace from "perfetto" (the
|
|
# cmdline client) and other shell binaries to traced and let traced write
|
|
# directly into that (rather than returning the trace contents over the socket).
|
|
allow traced perfetto:fd use;
|
|
allow traced shell:fd use;
|
|
allow traced shell:fifo_file { read write };
|
|
|
|
# Allow the service to create new files within /data/misc/perfetto-traces.
|
|
allow traced perfetto_traces_data_file:file create_file_perms;
|
|
allow traced perfetto_traces_data_file:dir rw_dir_perms;
|
|
# ... and /data/misc/perfetto-traces/bugreport*
|
|
allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
|
|
allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
|
|
|
|
# Allow traceur to pass open file descriptors to traced, so traced can directly
|
|
# write into the output file without doing roundtrips over IPC.
|
|
allow traced traceur_app:fd use;
|
|
allow traced trace_data_file:file { read write };
|
|
|
|
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
|
|
# write into the shmem buffer file without doing roundtrips over IPC.
|
|
allow traced iorapd:fd use;
|
|
allow traced iorapd_tmpfs:file { read write };
|
|
|
|
# Allow traced to use shared memory supplied by producers. Typically, traced
|
|
# (i.e. the tracing service) creates the shared memory used for data transfer
|
|
# from the producer. This rule allows an alternative scheme, where the producer
|
|
# creates the shared memory, that is then adopted by traced (after validating
|
|
# that it is appropriately sealed).
|
|
# This list has to replicate the tmpfs domains of all applicable domains that
|
|
# have perfetto_producer() macro applied to them.
|
|
# perfetto_tmpfs excluded as it should never need to use the producer-supplied
|
|
# shared memory scheme.
|
|
allow traced {
|
|
appdomain_tmpfs
|
|
heapprofd_tmpfs
|
|
surfaceflinger_tmpfs
|
|
traced_probes_tmpfs
|
|
userdebug_or_eng(`system_server_tmpfs')
|
|
}:file { getattr map read write };
|
|
|
|
# Allow traced to notify Traceur when a trace ends by setting the
|
|
# sys.trace.trace_end_signal property.
|
|
set_prop(traced, system_trace_prop)
|
|
# Allow to lazily start producers.
|
|
set_prop(traced, traced_lazy_prop)
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### traced should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow traced self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow traced dev_type:blk_file { read write };
|
|
|
|
# ptrace any other process
|
|
neverallow traced domain:process ptrace;
|
|
|
|
# Disallows access to /data files, still allowing to write to file descriptors
|
|
# passed through the socket.
|
|
neverallow traced {
|
|
data_file_type
|
|
-perfetto_traces_data_file
|
|
-perfetto_traces_bugreport_data_file
|
|
-system_data_file
|
|
-system_data_root_file
|
|
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
|
|
# subsequent neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow traced { system_data_file }:dir ~{ getattr search };
|
|
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
|
|
neverallow traced {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
-perfetto_traces_bugreport_data_file
|
|
-trace_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file ~write;
|
|
|
|
# Only init is allowed to enter the traced domain via exec()
|
|
neverallow { domain -init } traced:process transition;
|
|
neverallow * traced:process dyntransition;
|