PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
258442b3d4
android_system_sepolicy/private/traced_probes.te
Ryan Savitski 21f6ae6a8a perfetto: allow producers to supply shared memory 
This concerns the data transfer between an untrusted producer process,
and the tracing service (traced daemon). They communicate over a
combination of a unix socket and shared memory.

Normally, the service creates the shared memory region, and hands it off
to the producer process (see perfetto_producer() macro). This patch
allows for an alternative scheme, where the producer process is allowed
to create the shared memory region, which will then be adopted by the
tracing service. The service already inherently doesn't trust the
producer, so it'll validate that the shared memory is appropriately
sealed before using it.

The immediate use-case is chrome's go/perfetto-startup-tracing-v2. But
this mode has advantages (e.g. being able to write to the shared memory
before connecting) for other producer domains as well.

Bug: 148841422
Change-Id: I90f864b900958792553f0208f4a0041dbf2892cc
2020-02-04 13:47:42 +00:00

130 lines
4.7 KiB
Plaintext
Raw Blame History

# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
type traced_probes_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
tmpfs_domain(traced_probes)
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(traced_probes)
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
# Allow traced_probes to start with a higher scheduling class and then downgrade
# itself.
allow traced_probes self:global_capability_class_set { sys_nice };
# Allow procfs access
r_dir_file(traced_probes, domain)
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
# Allow traced_probes to list some of the data partition.
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
allow traced_probes system_data_file:dir { open read };
')
allow traced_probes system_app_data_file:dir { getattr open read search };
allow traced_probes backup_data_file:dir { getattr open read search };
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
allow traced_probes user_profile_data_file:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
# Allow traced_probes to kill atrace on timeout.
allow traced_probes atrace:process sigkill;
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
# system apps that have access to the traced consumer socket.
allow traced_probes {
proc_meminfo
proc_vmstat
proc_stat
}:file r_file_perms;
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
hal_client_domain(traced_probes, hal_atrace)
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
###
### Neverallow rules
###
### traced_probes should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced_probes self:process execmem;
# Block device access.
neverallow traced_probes dev_type:blk_file { read write };
# ptrace any other app
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
-apk_data_file
-dalvikcache_data_file
-system_data_file
-system_data_root_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
data_file_type
-zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
Reference in New Issue View Git Blame Copy Permalink