/* * Copyright (C) 2024 The Android Open Source Projectf * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "src/trace_redaction/verify_integrity.h" #include "src/trace_processor/util/status_macros.h" #include "protos/perfetto/common/trace_stats.pbzero.h" #include "protos/perfetto/trace/ftrace/ftrace_event.pbzero.h" #include "protos/perfetto/trace/ftrace/ftrace_event_bundle.pbzero.h" #include "protos/perfetto/trace/trace_packet.pbzero.h" namespace perfetto::trace_redaction { base::Status VerifyIntegrity::Collect( const protos::pbzero::TracePacket::Decoder& packet, Context*) const { if (!packet.has_trusted_uid()) { return base::ErrStatus( "VerifyIntegrity: missing field (TracePacket::kTrustedUid)."); } if (packet.trusted_uid() > Context::kMaxTrustedUid) { return base::ErrStatus("VerifyIntegrity: untrusted uid found (uid = %d).", packet.trusted_uid()); } if (packet.has_ftrace_events()) { RETURN_IF_ERROR(OnFtraceEvents(packet.ftrace_events())); } // If there is a process tree, there should be a timestamp on the packet. This // is the only way to know when the process tree was collected. if (packet.has_process_tree() && !packet.has_timestamp()) { return base::ErrStatus( "VerifyIntegrity: missing fields (TracePacket::kProcessTree + " "TracePacket::kTimestamp)."); } // If there are a process stats, there should be a timestamp on the packet. // This is the only way to know when the stats were collected. if (packet.has_process_stats() && !packet.has_timestamp()) { return base::ErrStatus( "VerifyIntegrity: missing fields (TracePacket::kProcessStats + " "TracePacket::kTimestamp)."); } if (packet.has_trace_stats()) { RETURN_IF_ERROR(OnTraceStats(packet.trace_stats())); } return base::OkStatus(); } base::Status VerifyIntegrity::OnFtraceEvents( const protozero::ConstBytes bytes) const { protos::pbzero::FtraceEventBundle::Decoder events(bytes); // Any ftrace lost events should cause the trace to be dropped: // protos/perfetto/trace/ftrace/ftrace_event_bundle.proto if (events.has_lost_events() && events.has_lost_events()) { return base::ErrStatus( "VerifyIntegrity: detected FtraceEventBundle error."); } // The other clocks in ftrace are only used on very old kernel versions. No // device with V should have such an old version. As a failsafe though, // check that the ftrace_clock field is unset to ensure no invalid // timestamps get by. if (events.has_ftrace_clock()) { return base::ErrStatus( "VerifyIntegrity: unexpected field (FtraceEventBundle::kFtraceClock)."); } // Every ftrace event bundle should have a CPU field. This is necessary for // switch/waking redaction to work. if (!events.has_cpu()) { return base::ErrStatus( "VerifyIntegrity: missing field (FtraceEventBundle::kCpu)."); } // Any ftrace errors should cause the trace to be dropped: // protos/perfetto/trace/ftrace/ftrace_event_bundle.proto if (events.has_error()) { return base::ErrStatus("VerifyIntegrity: detected FtraceEvent errors."); } for (auto it = events.event(); it; ++it) { RETURN_IF_ERROR(OnFtraceEvent(*it)); } return base::OkStatus(); } base::Status VerifyIntegrity::OnFtraceEvent( const protozero::ConstBytes bytes) const { protos::pbzero::FtraceEvent::Decoder event(bytes); if (!event.has_timestamp()) { return base::ErrStatus( "VerifyIntegrity: missing field (FtraceEvent::kTimestamp)."); } if (!event.has_pid()) { return base::ErrStatus( "VerifyIntegrity: missing field (FtraceEvent::kPid)."); } return base::OkStatus(); } base::Status VerifyIntegrity::OnTraceStats( const protozero::ConstBytes bytes) const { protos::pbzero::TraceStats::Decoder trace_stats(bytes); if (trace_stats.has_flushes_failed() && trace_stats.flushes_failed()) { return base::ErrStatus("VerifyIntegrity: detected TraceStats flush fails."); } if (trace_stats.has_final_flush_outcome() && trace_stats.final_flush_outcome() == protos::pbzero::TraceStats::FINAL_FLUSH_FAILED) { return base::ErrStatus( "VerifyIntegrity: TraceStats final_flush_outcome is " "FINAL_FLUSH_FAILED."); } for (auto it = trace_stats.buffer_stats(); it; ++it) { RETURN_IF_ERROR(OnBufferStats(*it)); } return base::OkStatus(); } base::Status VerifyIntegrity::OnBufferStats( const protozero::ConstBytes bytes) const { protos::pbzero::TraceStats::BufferStats::Decoder stats(bytes); if (stats.has_patches_failed() && stats.patches_failed()) { return base::ErrStatus( "VerifyIntegrity: detected BufferStats patch fails."); } if (stats.has_abi_violations() && stats.abi_violations()) { return base::ErrStatus( "VerifyIntegrity: detected BufferStats abi violations."); } auto has_loss = stats.has_trace_writer_packet_loss(); auto value = stats.trace_writer_packet_loss(); if (has_loss && value) { return base::ErrStatus( "VerifyIntegrity: detected BufferStats writer packet loss."); } return base::OkStatus(); } } // namespace perfetto::trace_redaction