perfetto: scope RelayPort to explicitly opted-in producer sockets#5908
Open
LalitMaganti wants to merge 1 commit into
Open
perfetto: scope RelayPort to explicitly opted-in producer sockets#5908LalitMaganti wants to merge 1 commit into
LalitMaganti wants to merge 1 commit into
Conversation
🎨 Perfetto UI Builds
|
LalitMaganti
force-pushed
the
dev/lalitm/relay
branch
from
91e8720 to
49c3fb7
Compare
With --enable-relay-endpoint set and multiple producer sockets bound, traced exposed the RelayPort IPC service on every one of them, including local AF_UNIX sockets reachable by unprivileged apps. A local caller could bind RelayPort and cache forged SystemInfo / RemoteClockSync data that traced later emitted with its trusted packet sequence ID, defeating PacketStreamValidator. Gate RelayPort exposure per ListenEndpoint via a new expose_relay_endpoint bit honoured by ServiceIPCHostImpl. Add --enable-relay-endpoint-on=<sock> as a narrower variant of --enable-relay-endpoint that turns RelayPort on only for the named producer sockets, which must already appear in PERFETTO_PRODUCER_SOCK_NAME. On Android the init-bound local producer socket is never relay-capable; traced.relay_producer_port keeps adding its own relay socket. --enable-relay-endpoint retains its existing semantics for the common single-socket multi-machine setup.
LalitMaganti
force-pushed
the
dev/lalitm/relay
branch
from
49c3fb7 to
ad9c0db
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With --enable-relay-endpoint set and multiple producer sockets bound,
traced exposed the RelayPort IPC service on every one of them,
including local AF_UNIX sockets reachable by unprivileged apps. A local
caller could bind RelayPort and cache forged SystemInfo /
RemoteClockSync data that traced later emitted with its trusted packet
sequence ID, defeating PacketStreamValidator.
Gate RelayPort exposure per ListenEndpoint via a new
expose_relay_endpoint bit honoured by ServiceIPCHostImpl. Add
--enable-relay-endpoint-on= as a narrower variant of
--enable-relay-endpoint that turns RelayPort on only for the named
producer sockets, which must already appear in
PERFETTO_PRODUCER_SOCK_NAME. On Android the init-bound local producer
socket is never relay-capable; traced.relay_producer_port keeps adding
its own relay socket. --enable-relay-endpoint retains its existing
semantics for the common single-socket multi-machine setup.