Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8b2647217700d7cd3645270f078c2384f91f135b^! / . / private / traced_perf.te
commit8b2647217700d7cd3645270f078c2384f91f135b[log] [tgz]
authorRyan Savitski <rsavitski@google.com>Sun Jan 31 14:53:33 2021 +0000
committerRyan Savitski <rsavitski@google.com>Sun Jan 31 16:44:00 2021 +0000
tree249dc286b56a451f7c5c8be0b8e30b2a6ca0a76b
parentc01ac10fd7a442ab9371f09088c2067f48b5127b [diff] [blame]
traced_perf: allow RO tracefs access + fix neverallow

We're adding support for counting and/or sampling on the static kernel
tracepoints in traced_perf (via perf_event_open). This requires traslating
a human-readable tracepoint name to its id for the running kernel.
For that, we need to read the "id" files like:
  /sys/kernel/tracing/events/sched/sched_switch/id

While the current implementation should only need "file r_file_perms",
as it constructs the full path to the id file, I've also added the
directory-level rule to allow for a possible change in implementation,
as we might want to enumerate all available events ahead of time, which
would require listing the tracefs events/ dir.

The changed neverallow macro was a copypaste mistake.

Example denials without the change:
  avc: denied { read } for name="id" dev="tracefs" ino=5721
  scontext=u:r:traced_perf:s0 tcontext=u:object_r:debugfs_tracing:s0
  tclass=file permissive=1

  avc: denied { open } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

  avc: denied { getattr } for
  path="/sys/kernel/tracing/events/sched/sched_switch/id" dev="tracefs"
  ino=5721 scontext=u:r:traced_perf:s0
  tcontext=u:object_r:debugfs_tracing:s0 tclass=file permissive=1

Tested: collected a profile sampled on "sched/sched_switch" on
        crosshatch-userdebug.
Bug: 170284829
Bug: 178961752
Change-Id: I75427e848ccfdc200c5f9b679ea18fc78e1669d6

diff --git a/private/traced_perf.te b/private/traced_perf.te
index e5760f0..96a7263 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te

@@ -38,6 +38,14 @@
 userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
 allow traced_perf proc_kallsyms:file r_file_perms;
 
+# Allow reading tracefs files to get the format and numeric ids of tracepoints.
+allow traced_perf debugfs_tracing:dir r_dir_perms;
+allow traced_perf debugfs_tracing:file r_file_perms;
+userdebug_or_eng(`
+  allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
+  allow traced_perf debugfs_tracing_debug:file r_file_perms;
+')
+
 # Do not audit the cases where traced_perf attempts to access /proc/[pid] for
 # domains that it cannot read.
 dontaudit traced_perf domain:dir { search getattr open };
@@ -51,7 +59,7 @@
 neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
 
 # Never allow profiling highly privileged processes.
-never_profile_heap(`{
+never_profile_perf(`{
   bpfloader
   init
   kernel