perfetto: fix missing fd:use for producer-supplied shared memory
The previous attempt (aosp/1225417) had a missing piece: while we
allowed traced to use the shared memory, we haven't allowed it to use
the file descriptors in the producers' domains. Since the shared memory
is being transferred as an fd (obtained from memfd_create), the service
ends up hitting a denial (see below for an example).
We ended up missing the general case as we only tested with the shell
domain at the time, and traced is already allowed to use shell's fds for
other reasons.
To reiterate, the tracing service treats producers as inherently
untrusted/adversarial, so its implementation should never attempt to use
a file descriptor that isn't otherwise validated (such as checking seals
for the memfds).
Example denial from a chromium apk that is exercising this path:
traced : type=1400 audit(0.0:80): avc: denied { use } for
path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429
dev="tmpfs" ino=151536 scontext=u:r:traced:s0
tcontext=u:r:untrusted_app_29:s0:c136,c256,c512,c768 tclass=fd
permissive=0
(deobfuscated path in the denial: /memfd:perfetto_shmem (deleted))
Tested: experimental chromium apk no longer crashes when trying to hand
over shared memory to traced
Bug: 148841422
Merged-In: I7390fb174e2083ba7693c3160da44b4cfa7b1c8b
Change-Id: I7390fb174e2083ba7693c3160da44b4cfa7b1c8b
(cherry picked from commit 3baeb1ea805293d6c2a76379474a7958b8757dad)
diff --git a/public/te_macros b/public/te_macros
index a9dea92..5afb791 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -767,6 +767,11 @@
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
unix_socket_connect($1, traced_producer, traced)
+
+ # Also allow the service to use the producer file descriptors. This is
+ # necessary when the producer is creating the shared memory, as it will be
+ # passed to the service as a file descriptor (obtained from memfd_create).
+ allow traced $1:fd use;
')
###########################################