xref: /aosp_15_r20/external/perfetto/docs/design-docs/security-model.md (revision 6dbdd20afdafa5e3ca9b8809fa73465d530080dc) 
1# Security model for system-wide tracing on Android/Linux
2
3The tracing service has two endpoints (in Chromium: Mojo services, on
4Android/Linux: UNIX sockets): one for producer(s) and one for consumer(s).
5The former is typically public, the latter is restricted only to trusted
6consumers.
7
8![Security overview](https://storage.googleapis.com/perfetto/markdown_img/security-overview.png)
9
10## Producers
11
12Producers are never trusted. We assume they will try their best to DoS / crash /
13exploit the tracing service. We do so at the
14[service/tracing_service_impl.cc](/src/tracing/service/tracing_service_impl.cc) so
15that the same level of security and testing is applied regardless of the
16embedder and the IPC transport.
17
18## Tracing service
19
20- The tracing service has to validate all inputs.
21- In the worst case a bug in the tracing service allowing remote code execution,
22  the tracing service should have no meaningful capabilities to exploit.
23- The tracing service, by design, has a limited syscall surface to simplify
24  its sandboxing:
25  - It doesn't open or create files (% tmpfs).
26  - It writes only onto file descriptors passed over the IPC channel.
27  - It doesn't open or create sockets (on Android the IPC sockets are passed by
28    init, see [perfetto.rc](/perfetto.rc))
29  - On Android it runs as nobody:nobody and is allowed to do very little
30    see [traced.te](https://android.googlesource.com/platform/system/sepolicy/+/main/private/traced.te).
31  - In Chromium it should run as a utility process.
32
33## Consumers
34Consumers are always trusted. They still shouldn't be able to crash or exploit
35the service. They can easily DoS it though, but that is WAI.
36  - In Chromium the trust path is established through service manifest.
37  - In Android the trust path is established locking down the consumer socket
38    to shell through SELinux.
39
40## Shared memory isolation
41Memory is shared only point-to-point between each producer and the tracing
42service. We should never ever share memory across producers (in order to not
43leak trace data belonging to different producers) nor between producers and
44consumers (that would open a hard to audit path between
45untrusted-and-unprivileged and trusted-and-more-privileged entities).
46
47## Attestation of trace contents
48The tracing service guarantees that the `TracePacket` fields written by the
49Service cannot be spoofed by the Producer(s).
50Packets that try to define those fields are rejected, modulo clock snapshots.
51See [PacketStreamValidator](/src/tracing/service/packet_stream_validator.cc) and
52[its unit test](/src/tracing/service/packet_stream_validator_unittest.cc) for more
53details.
54At the moment nothing prevents that a producer writes `TracePacket(s)` that do
55not belong to its data sources. Realistically the service will never prevent
56that because doing so would imply that the service knows about all the possible
57types of packets, which doesn't scale.
58However, the service appends the POSIX uid of the producer to each `TracePacket`
59to perform offline attestation of the contents of the trace.
60