From e3f0b2ca13e68aa67448d47c57d058c70a45c47c Mon Sep 17 00:00:00 2001 From: Connor O'Brien Date: Tue, 14 Jan 2020 15:45:55 -0800 Subject: [PATCH] Allow system_server to attach bpf programs to tracepoints In order to track time in state data using eBPF, system_server needs to be able to attach BPF programs to tracepoints, which involves: - calling perf_event_open and the PERF_EVENT_IOC_SET_BPF ioctl - running BPF programs - reading tracepoint ids from tracefs Grant system_server the necessary permissions for these tasks Test: modify system_server to try to attach programs; check for denials Bug: 138317993 Change-Id: I07dafd325a9c57d53767a09d4ca7b0fb2dd2d328 Signed-off-by: Connor O'Brien --- private/bpfloader.te | 2 +- private/coredomain.te | 1 + private/system_server.te | 13 +++++++++++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/private/bpfloader.te b/private/bpfloader.te index 00d4c7902..34921e603 100644 --- a/private/bpfloader.te +++ b/private/bpfloader.te @@ -18,7 +18,7 @@ allow bpfloader self:global_capability_class_set sys_admin; ### Neverallow rules ### neverallow { domain -bpfloader } *:bpf { map_create prog_load }; -neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run; +neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run; neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans }; neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *; # only system_server, netd and bpfloader can read/write the bpf maps diff --git a/private/coredomain.te b/private/coredomain.te index 44052c3d3..0c847970a 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -132,6 +132,7 @@ full_treble_only(` -init -traced_probes -shell + -system_server -traceur_app } debugfs_tracing:file no_rw_file_perms; diff --git a/private/system_server.te b/private/system_server.te index be2eec69d..2a07a1fca 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -896,6 +896,9 @@ allow system_server debugfs_tracing_instances:dir search; allow system_server debugfs_wifi_tracing:dir search; allow system_server debugfs_wifi_tracing:file rw_file_perms; +# Allow system_server to read tracepoint ids in order to attach BPF programs to them. +allow system_server debugfs_tracing:file r_file_perms; + # allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run # asanwrapper. with_asan(` @@ -905,10 +908,11 @@ with_asan(` ') # allow system_server to read the eBPF maps that stores the traffic stats information and update -# the map after snapshot is recorded +# the map after snapshot is recorded, and to read, update and run the maps and programs used for +# time in state accounting allow system_server fs_bpf:dir search; allow system_server fs_bpf:file { read write }; -allow system_server bpfloader:bpf { map_read map_write }; +allow system_server bpfloader:bpf { map_read map_write prog_run }; # ART Profiles. # Allow system_server to open profile snapshots for read. @@ -1122,3 +1126,8 @@ neverallow { domain -init -system_server } password_slot_metadata_file:notdevfil set_prop(system_server, binder_cache_system_server_prop) neverallow { domain -system_server -init } binder_cache_system_server_prop:property_service set; + +# Allow system server to attach BPF programs to tracepoints. Deny read permission so that +# system_server cannot use this access to read perf event data like process stacks. +allow system_server self:perf_event { open write cpu kernel }; +neverallow system_server self:perf_event ~{ open write cpu kernel };