platform_system_sepolicy/private/coredomain.te
Ryan Savitski 67a82481f8 initial policy for traced_perf daemon (perf profiler)
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.

To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).

This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.

Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.

Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
2020-01-22 22:04:01 +00:00

195 lines
3.9 KiB
Text

get_prop(coredomain, pm_prop)
get_prop(coredomain, exported_pm_prop)
full_treble_only(`
neverallow {
coredomain
# for chowning
-init
# generic access to sysfs_type
-ueventd
-vold
} sysfs_leds:file *;
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
} vendor_app_file:dir { open read getattr search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
full_treble_only(`
neverallow {
coredomain
-appdomain
-idmap
-init
-installd
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
-app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
full_treble_only(`
# /proc
neverallow {
coredomain
-init
-vold
} proc:file no_rw_file_perms;
# /sys
neverallow {
coredomain
-init
-ueventd
-vold
} sysfs:file no_rw_file_perms;
# /dev
neverallow {
coredomain
-fsck
-init
-ueventd
} device:{ blk_file file } no_rw_file_perms;
# debugfs
neverallow {
coredomain
-dumpstate
-init
-system_server
} debugfs:file no_rw_file_perms;
# tracefs
neverallow {
coredomain
-atrace
-dumpstate
-init
-traced_probes
-shell
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
} inotify:file no_rw_file_perms;
# pstorefs
neverallow {
coredomain
-bootstat
-charger
-dumpstate
-healthd
userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
-recovery_persist
-recovery_refresh
-shell
-system_server
} pstorefs:file no_rw_file_perms;
# configfs
neverallow {
coredomain
-init
-system_server
} configfs:file no_rw_file_perms;
# functionfs
neverallow {
coredomain
-adbd
-init
-mediaprovider
-system_server
} functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
# instead be wrapped by HALs.
neverallow coredomain {
iio_device
radio_device
}:chr_file { open read append write ioctl };
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')