Allow tracing service to access kallsyms on userdebug This CL allows the traced_probes service to temporarily lower kptr_restrict and read /proc/kallsyms. This is allowed only on userdebug/eng builds. The lowering of kptr_restrict is done via an init property because the kernel checks that the kptr_restrict writer is CAP_SYS_ADMIN, regardless of the /proc file ACLs [1]. [1] https://github.com/torvalds/linux/blob/4cbffc461ec91287c4cb1d0e27b01b988d0b8fba/kernel/sysctl.c#L2254 Bug: 136133013 Design doc: go/perfetto-kallsyms Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882 Change-Id: Ic06e7a9a74c0f3e42fa63f7f41decc385c9fea2c

commit: cd452300a78de4ca0f85770966a76cc90f6a6b4d [log] [tgz]
author: Primiano Tucci <primiano@google.com> Fri Oct 09 09:15:10 2020 +0100
committer: Primiano Tucci <primiano@google.com> Fri Oct 23 14:03:08 2020 +0100
tree: cc6bcd484eb2699a59c51d62889b3332974fd1e5
parent: c1eb80e302f3a23c9dbbea8ab1fa8a972ff8bf30 [diff] [blame]
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 36f9c51..f010a77 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te

@@ -29,6 +29,11 @@
 # Allow procfs access
 r_dir_file(traced_probes, domain)
 
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
+allow traced_probes proc_kallsyms:file r_file_perms;
+
 # Allow to read packages.list file.
 allow traced_probes packages_list_file:file r_file_perms;
commit	cd452300a78de4ca0f85770966a76cc90f6a6b4d	[log] [tgz]
author	Primiano Tucci <primiano@google.com>	Fri Oct 09 09:15:10 2020 +0100
committer	Primiano Tucci <primiano@google.com>	Fri Oct 23 14:03:08 2020 +0100
tree	cc6bcd484eb2699a59c51d62889b3332974fd1e5
parent	c1eb80e302f3a23c9dbbea8ab1fa8a972ff8bf30 [diff] [blame]