ffa0dd93f3
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
37 lines
1.7 KiB
Text
37 lines
1.7 KiB
Text
# Domain used when running /system/bin/simpleperf to profile a specific app.
|
|
# Entered either by the app itself exec-ing the binary, or through
|
|
# simpleperf_app_runner (with shell as its origin). Certain other domains
|
|
# (runas_app, shell) can also exec this binary without a domain transition.
|
|
typeattribute simpleperf coredomain;
|
|
type simpleperf_exec, system_file_type, exec_type, file_type;
|
|
|
|
domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
|
|
|
|
# When running in this domain, simpleperf is scoped to profiling an individual
|
|
# app. The necessary MAC permissions for profiling are more maintainable and
|
|
# consistent if simpleperf is marked as an app domain as well (as, for example,
|
|
# it will then see the same set of system libraries as the app).
|
|
app_domain(simpleperf)
|
|
untrusted_app_domain(simpleperf)
|
|
|
|
# Allow ptrace attach to the target app, for reading JIT debug info (using
|
|
# process_vm_readv) during unwinding and symbolization.
|
|
allow simpleperf untrusted_app_all:process ptrace;
|
|
|
|
# Allow using perf_event_open syscall for profiling the target app.
|
|
allow simpleperf self:perf_event { open read write kernel };
|
|
|
|
# Allow /proc/<pid> access for the target app (for example, when trying to
|
|
# discover it by cmdline).
|
|
r_dir_file(simpleperf, untrusted_app_all)
|
|
|
|
# Suppress denial logspam when simpleperf is trying to find a matching process
|
|
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
|
|
# the same domain as their respective processes, most of which this domain is
|
|
# not allowed to see.
|
|
dontaudit simpleperf domain:dir search;
|
|
|
|
# Neverallows:
|
|
|
|
# Profiling must be confined to the scope of an individual app.
|
|
neverallow simpleperf self:perf_event ~{ open read write kernel };
|