67a82481f8
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
100 lines
3.8 KiB
Plaintext
100 lines
3.8 KiB
Plaintext
###
|
|
### Ephemeral apps.
|
|
###
|
|
### This file defines the security policy for apps with the ephemeral
|
|
### feature.
|
|
###
|
|
### The ephemeral_app domain is a reduced permissions sandbox allowing
|
|
### ephemeral applications to be safely installed and run. Non ephemeral
|
|
### applications may also opt-in to ephemeral to take advantage of the
|
|
### additional security features.
|
|
###
|
|
### PackageManager flags an app as ephemeral at install time.
|
|
|
|
typeattribute ephemeral_app coredomain;
|
|
|
|
net_domain(ephemeral_app)
|
|
app_domain(ephemeral_app)
|
|
|
|
# Allow ephemeral apps to read/write files in visible storage if provided fds
|
|
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
|
|
|
|
# Some apps ship with shared libraries and binaries that they write out
|
|
# to their sandbox directory and then execute.
|
|
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
|
|
allow ephemeral_app app_data_file:file { r_file_perms execute };
|
|
|
|
# Follow priv-app symlinks. This is used for dynamite functionality.
|
|
allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
|
|
|
|
# Allow the renderscript compiler to be run.
|
|
domain_auto_trans(ephemeral_app, rs_exec, rs)
|
|
|
|
# Allow loading and deleting shared libraries created by trusted system
|
|
# components within an application home directory.
|
|
allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
|
|
|
|
# services
|
|
allow ephemeral_app audioserver_service:service_manager find;
|
|
allow ephemeral_app cameraserver_service:service_manager find;
|
|
allow ephemeral_app mediaserver_service:service_manager find;
|
|
allow ephemeral_app mediaextractor_service:service_manager find;
|
|
allow ephemeral_app mediametrics_service:service_manager find;
|
|
allow ephemeral_app mediadrmserver_service:service_manager find;
|
|
allow ephemeral_app drmserver_service:service_manager find;
|
|
allow ephemeral_app radio_service:service_manager find;
|
|
allow ephemeral_app ephemeral_app_api_service:service_manager find;
|
|
allow ephemeral_app gpu_service:service_manager find;
|
|
|
|
# Allow ephemeral apps to interact with gpuservice
|
|
binder_call(ephemeral_app, gpuservice)
|
|
|
|
# Write app-specific trace data to the Perfetto traced damon. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(ephemeral_app)
|
|
|
|
# Allow profiling if the app opts in by being marked profileable/debuggable.
|
|
can_profile_heap(ephemeral_app)
|
|
can_profile_perf(ephemeral_app)
|
|
|
|
# allow ephemeral apps to use UDP sockets provided by the system server but not
|
|
# modify them other than to connect
|
|
allow ephemeral_app system_server:udp_socket {
|
|
connect getattr read recvfrom sendto write getopt setopt };
|
|
|
|
allow ephemeral_app ashmem_device:chr_file rw_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
|
|
|
|
# Receive or send uevent messages.
|
|
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
|
|
|
|
# Receive or send generic netlink messages
|
|
neverallow ephemeral_app domain:netlink_socket *;
|
|
|
|
# Too much leaky information in debugfs. It's a security
|
|
# best practice to ensure these files aren't readable.
|
|
neverallow ephemeral_app debugfs:file read;
|
|
|
|
# execute gpu_device
|
|
neverallow ephemeral_app gpu_device:chr_file execute;
|
|
|
|
# access files in /sys with the default sysfs label
|
|
neverallow ephemeral_app sysfs:file *;
|
|
|
|
# Avoid reads from generically labeled /proc files
|
|
# Create a more specific label if needed
|
|
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
|
|
|
|
# Directly access external storage
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
|
|
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
|
|
|
|
# Avoid reads to proc_net, it contains too much device wide information about
|
|
# ongoing connections.
|
|
neverallow ephemeral_app proc_net:file no_rw_file_perms;
|