Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / ea93f110d2c183c9214d18f4290daa73ff0ab84a^! / . / init / security.cpp
commitea93f110d2c183c9214d18f4290daa73ff0ab84a[log] [tgz]
authorRyan Savitski <rsavitski@google.com>Wed Oct 28 18:01:35 2020 +0000
committerRyan Savitski <rsavitski@google.com>Thu Oct 29 17:41:36 2020 +0000
treef54d12c8f7217eeffab21f16c06cc9feb1d49421
parent49a428b62e233008ead1fd1c832d7a528d67b7ee [diff] [blame]
dev devices with permissive boot: disable perf_event_paranoid

Some functionality based on eBPF attached to tracepoints (gpu memory
accounting and time-in-state) rely on newer devices running with
"disabled" perf_event_paranoid controls as a result of the kernel having
LSM hooks in the perf_event_open syscall instead. This is tested
for, and set up by init via the sys.init.perf_lsm_hooks sysprop.

Development devices that boot into permissive mode still want the
eBPF-based functionality to work, but end up with a paranoid value that
disallows the syscall, as the LSM hook test expects to observe a SELinux
denial (which doesn't happen due to permissiveness).

As a pragmatic way of achieving the paranoid value override, we pretend
that the hook test has succeeded if we detect permissive SELinux during
second-stage init. It'd be nicer if we had a sysprop to reflect the
device's on-boot status of SELinux, but it's not worth adding for this
case.

BYPASS_INCLUSIVE_LANGUAGE_REASON=technical term

Bug: 170674916
Tested: booted crosshatch-userdebug with permissive kernel cmdline,
        confirmed that the log message from the new codepath was present
        in logcat, sysprop is 1, and paranoid is -1.
Change-Id: I9df5da2076cdbd777d35e50e8cd7a483ec85e20a

diff --git a/init/security.cpp b/init/security.cpp
index 2450d65..ac784a3 100644
--- a/init/security.cpp
+++ b/init/security.cpp

@@ -19,6 +19,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/perf_event.h>
+#include <selinux/selinux.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
 #include <unistd.h>
@@ -222,6 +223,19 @@
 // supporting kernels that precede the perf_event_open hooks (Android common
 // kernels 4.4 and 4.9).
 Result<void> TestPerfEventSelinuxAction(const BuiltinArguments&) {
+    // Special case: for *development devices* that boot with permissive
+    // SELinux, treat the LSM hooks as present for the effect of lowering the
+    // perf_event_paranoid sysctl. The sysprop is reused for pragmatic reasons,
+    // as there no existing way for init rules to check for permissive boot at
+    // the time of writing.
+    if (ALLOW_PERMISSIVE_SELINUX) {
+        if (!security_getenforce()) {
+            LOG(INFO) << "Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.";
+            SetProperty("sys.init.perf_lsm_hooks", "1");
+            return {};
+        }
+    }
+
     // Use a trivial event that will be configured, but not started.
     struct perf_event_attr pe = {
             .type = PERF_TYPE_SOFTWARE,