userdebug_or_eng: allow traced_perf to read kallsyms.
This tracing daemon interfaces with perf_events, and is used for
callstack sampling. Currently, we only handle userspace stacks. We
have the ability to collect kernel frame addresses (as unwound
by the kernel itself), but need /proc/kallsyms to symbolize them.
This patch mirrors what was done for traced_probes (ftrace event
kptr symbolization) in aosp/1455337 - the daemon can set a sysprop
that causes "init" to temporarily relax kptr_restrict, then the daemon
can open and read /proc/kallsyms. After the file is parsed, the
kptr_restrict value is restored.
To reiterate, this is confined to userdebug_or_eng due to the reasons
outlined in go/perfetto-kallsyms.
Bug: 173124818
Change-Id: I9077bbfe6fea3318f4c37947a5c455061ca43d8d
diff --git a/private/property.te b/private/property.te
index b14ab4e..7d74dcf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -491,6 +491,7 @@
neverallow {
-init
userdebug_or_eng(`-traced_probes')
+ userdebug_or_eng(`-traced_perf')
} {
lower_kptr_restrict_prop
}:property_service set;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 9483e6c..55d86fb 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -32,6 +32,11 @@
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
+allow traced_perf proc_kallsyms:file r_file_perms;
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
diff --git a/public/domain.te b/public/domain.te
index 0e5dde9..ddc8448 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -436,9 +436,16 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon to use kallsyms to symbolize kernel traces. Addresses are not disclosed,
-# they are repalced with symbol names (if available). Traces don't disclose KASLR.
-neverallow { domain -init -vendor_init -traced_probes } proc_kallsyms:file { open read };
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.