Add selinux rules for perfetto daemones
Note: this is a somewhat minimal set of rules required to be able to
capture traces on Microdroid. After the trace is captured I still see a
bunch of SELinux denials. We might need to add more allow rules in the
follow up changes.
Bug: 249050813
Test: boot Microdroid VM, capture traces with record_android_traces
Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15
diff --git a/microdroid/system/private/atrace.te b/microdroid/system/private/atrace.te
new file mode 100644
index 0000000..f8dd24f
--- /dev/null
+++ b/microdroid/system/private/atrace.te
@@ -0,0 +1,11 @@
+# SELinux policy for the atrace daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/atrace.te
+# So far, this file contains a subset of rules defined for the host Android.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 5482b01..916eebf 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -544,7 +544,7 @@
domain
} ashmem_device:chr_file open;
-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 6f037a3..a06a9cf 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -27,3 +27,9 @@
# Filesystem entry for for PRNG seeder socket.
type prng_seeder_socket, file_type, coredomain_socket;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 63221ce..e9b0c83 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -74,6 +74,8 @@
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -123,6 +125,10 @@
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/perfetto.te b/microdroid/system/private/perfetto.te
new file mode 100644
index 0000000..4efb323
--- /dev/null
+++ b/microdroid/system/private/perfetto.te
@@ -0,0 +1,78 @@
+# SELinux policy for the perfetto binary running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/perfetto.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, system_file_type, exec_type, file_type;
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(perfetto)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow adbd to reap perfetto.
+allow perfetto adbd:process { sigchld };
+
+###
+### Neverallow rules
+###
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:dir *;
+
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+}:file ~write;
diff --git a/microdroid/system/private/traced.te b/microdroid/system/private/traced.te
new file mode 100644
index 0000000..1d94c15
--- /dev/null
+++ b/microdroid/system/private/traced.te
@@ -0,0 +1,69 @@
+# SELinux policy for the traced daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/traced.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type traced, domain, coredomain;
+type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
+
+# Allow init to exec traced daemon
+init_daemon_domain(traced)
+
+# Required for perfetto_produced macro
+tmpfs_domain(traced)
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
+
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced traced_probes_tmpfs:file { getattr map read write };
+
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
diff --git a/microdroid/system/private/traced_probes.te b/microdroid/system/private/traced_probes.te
new file mode 100644
index 0000000..cfc81b5
--- /dev/null
+++ b/microdroid/system/private/traced_probes.te
@@ -0,0 +1,62 @@
+type traced_probes, domain, coredomain;
+type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
+
+# Allow init to exec traced_probes daemon
+init_daemon_domain(traced_probes)
+
+# The traced daemon uses shared memory supplied producers. And hence
+# traced_probes daemon is a producer we need to have tmpfs_domain for it.
+tmpfs_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(traced_probes)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace)
+
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+# TODO(b/271562015): move this to domain level neverallow rule.
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+
+neverallow traced_probes_exec data_file_type:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
+
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index fe269d7..6a698c3 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -45,6 +45,8 @@
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket;
# file system types
type binfmt_miscfs, fs_type;