5f1f1b6a7a
Change 1: when running the "perfetto" binary via "adb shell
perfetto...", ctrl-Cing the host process doesn't propagate the teardown
to the on-device process (which normally should stop the tracing session
immediately). Allow signals adbd->perfetto to resolve.
Change 2: don't print audit logs for a harmless isatty() check on adb
sockets when they're the stderr of a "perfetto" process.
Example denials from the isatty() check (ioctl is TCGETS):
avc: denied { getattr } for path="socket:[244990]" dev="sockfs"
ino=244990 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
avc: denied { ioctl } for path="socket:[244992]" dev="sockfs" ino=244992
ioctlcmd=0x5401 scontext=u:r:perfetto:s0 tcontext=u:r:adbd:s0
tclass=unix_stream_socket permissive=0
Example denial from ctrl-c'ing "adb shell perfetto ...":
avc: denied { signal } for comm=7368656C6C20737663203134343537
scontext=u:r:adbd:s0 tcontext=u:r:perfetto:s0 tclass=process
permissive=0
Tested: patched onto an internal branch, then verified that denials are
gone on a flashed crosshatch-userdebug.
Change-Id: I1dbe00ea91e3c3377d6e5eab05ad99620e02b965
96 lines
3.4 KiB
Text
96 lines
3.4 KiB
Text
# Perfetto command-line client. Can be used only from the domains that are
|
|
# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
|
# This command line client accesses the privileged socket of the traced
|
|
# daemon.
|
|
|
|
type perfetto_exec, system_file_type, exec_type, file_type;
|
|
type perfetto_tmpfs, file_type;
|
|
|
|
tmpfs_domain(perfetto);
|
|
|
|
# Allow to access traced's privileged consumer socket.
|
|
unix_socket_connect(perfetto, traced_consumer, traced)
|
|
|
|
# Connect to the Perfetto traced daemon as a producer. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(perfetto)
|
|
|
|
# Allow to write and unlink traces into /data/misc/perfetto-traces.
|
|
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
|
|
allow perfetto perfetto_traces_data_file:file create_file_perms;
|
|
|
|
# Allow to access binder to pass the traces to Dropbox.
|
|
binder_use(perfetto)
|
|
binder_call(perfetto, system_server)
|
|
allow perfetto dropbox_service:service_manager find;
|
|
|
|
# Allow perfetto to read the trace config from statsd and shell
|
|
# (both root and non-root) on stdin and also to write the resulting trace to
|
|
# stdout.
|
|
allow perfetto { statsd shell su }:fd use;
|
|
allow perfetto { statsd shell su }:fifo_file { getattr read write };
|
|
|
|
# Allow to communicate use, read and write over the adb connection.
|
|
allow perfetto adbd:fd use;
|
|
allow perfetto adbd:unix_stream_socket { read write };
|
|
|
|
# Allow adbd to reap perfetto.
|
|
allow perfetto adbd:process { sigchld };
|
|
|
|
# Allow perfetto to write to statsd.
|
|
unix_socket_send(perfetto, statsdw, statsd)
|
|
|
|
# Allow to access /dev/pts when launched in an adb shell.
|
|
allow perfetto devpts:chr_file rw_file_perms;
|
|
|
|
# Allow perfetto to ask incidentd to start a report.
|
|
# TODO(b/134706389): remove when no longer used.
|
|
userdebug_or_eng(`
|
|
allow perfetto incident_service:service_manager find;
|
|
binder_call(perfetto, incidentd)
|
|
');
|
|
|
|
# perfetto log formatter calls isatty() on its stderr. Denial when running
|
|
# under adbd is harmless. Avoid generating denial logs.
|
|
dontaudit perfetto adbd:unix_stream_socket getattr;
|
|
dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
|
|
# As above, when adbd is running in "su" domain (only the ioctl is denied in
|
|
# practice).
|
|
dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### perfetto should NEVER do any of this
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow perfetto self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow perfetto dev_type:blk_file { read write };
|
|
|
|
# ptrace any other process
|
|
neverallow perfetto domain:process ptrace;
|
|
|
|
# Disallows access to other /data files.
|
|
neverallow perfetto {
|
|
data_file_type
|
|
-system_data_file
|
|
-system_data_root_file
|
|
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
|
|
# neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
|
|
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
|
|
neverallow perfetto {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file ~write;
|