8b26472177
We're adding support for counting and/or sampling on the static kernel
tracepoints in traced_perf (via perf_event_open). This requires traslating
a human-readable tracepoint name to its id for the running kernel.
For that, we need to read the "id" files like:
/sys/kernel/tracing/events/sched/sched_switch/id
While the current implementation should only need "file r_file_perms",
as it constructs the full path to the id file, I've also added the
directory-level rule to allow for a possible change in implementation,
as we might want to enumerate all available events ahead of time, which
would require listing the tracefs events/ dir.
The changed neverallow macro was a copypaste mistake.
Example denials without the change:
avc: denied { read } for name="id" dev="tracefs" ino=5721
scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0
tclass=file permissive=1
avc: denied { open } for
path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
ino=5721 scontext=u:r:traced_perf:s0
tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1
avc: denied { getattr } for
path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
ino=5721 scontext=u:r:traced_perf:s0
tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1
Tested: collected a profile sampled on "sched/sched_switch" on
crosshatch-userdebug.
Bug: 170284829
Bug: 178961752
Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6
73 lines
2.7 KiB
Plaintext
73 lines
2.7 KiB
Plaintext
# Performance profiler, backed by perf_event_open(2).
|
|
# See go/perfetto-perf-android.
|
|
typeattribute traced_perf coredomain;
|
|
typeattribute traced_perf mlstrustedsubject;
|
|
|
|
type traced_perf_exec, system_file_type, exec_type, file_type;
|
|
|
|
init_daemon_domain(traced_perf)
|
|
perfetto_producer(traced_perf)
|
|
|
|
# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
|
|
# profiling, but retain samples only for profileable processes.
|
|
# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
|
|
# check (which would require a process:attach SELinux allow-rule).
|
|
allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
|
|
|
|
# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
|
|
# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
|
|
# sampled stacks, which requires opening the backing libraries/executables (as
|
|
# symbols are usually not mapped into the process space). Not all such files
|
|
# are world-readable, e.g. odex files that included user profiles during
|
|
# profile-guided optimization.
|
|
allow traced_perf self:capability { kill dac_read_search };
|
|
|
|
# Allow reading /system/data/packages.list.
|
|
allow traced_perf packages_list_file:file r_file_perms;
|
|
|
|
# Allow reading files for stack unwinding and symbolization.
|
|
r_dir_file(traced_perf, nativetest_data_file)
|
|
r_dir_file(traced_perf, system_file_type)
|
|
r_dir_file(traced_perf, apex_art_data_file)
|
|
r_dir_file(traced_perf, apk_data_file)
|
|
r_dir_file(traced_perf, dalvikcache_data_file)
|
|
r_dir_file(traced_perf, vendor_file_type)
|
|
|
|
# Allow to temporarily lift the kptr_restrict setting and build a symbolization
|
|
# map reading /proc/kallsyms.
|
|
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
|
|
allow traced_perf proc_kallsyms:file r_file_perms;
|
|
|
|
# Allow reading tracefs files to get the format and numeric ids of tracepoints.
|
|
allow traced_perf debugfs_tracing:dir r_dir_perms;
|
|
allow traced_perf debugfs_tracing:file r_file_perms;
|
|
userdebug_or_eng(`
|
|
allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
|
|
allow traced_perf debugfs_tracing_debug:file r_file_perms;
|
|
')
|
|
|
|
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
|
|
# domains that it cannot read.
|
|
dontaudit traced_perf domain:dir { search getattr open };
|
|
|
|
# Do not audit failures to signal a process, as there are cases when this is
|
|
# expected (native processes on debug builds use the policy for enforcing which
|
|
# processes are profileable).
|
|
dontaudit traced_perf domain:process signal;
|
|
|
|
# Never allow access to app data files
|
|
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
|
|
|
|
# Never allow profiling highly privileged processes.
|
|
never_profile_perf(`{
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
llkd
|
|
logd
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
}')
|