Security model for system-wide tracing on Android/Linux

The tracing service has two endpoints (in Chromium: Mojo services, on Android/Linux: UNIX sockets): one for producer(s) and one for consumer(s). The former is typically public, the latter is restricted only to trusted consumers.

Security overview

Producers

Producers are never trusted. We assume they will try their best to DoS / crash / exploit the tracing service. We do so at the service/tracing_service_impl.cc so that the same level of security and testing is applied regardless of the embedder and the IPC transport.

Tracing service

Consumers

Consumers are always trusted. They still shouldn't be able to crash or exploit the service. They can easily DoS it though, but that is WAI.

Shared memory isolation

Memory is shared only point-to-point between each producer and the tracing service. We should never ever share memory across producers (in order to not leak trace data belonging to different producers) nor between producers and consumers (that would open a hard to audit path between untrusted-and-unprivileged and trusted-and-more-privileged entities).

Attestation of trace contents

The tracing service guarantees that the TracePacket fields written by the Service cannot be spoofed by the Producer(s).
Packets that try to define those fields are rejected, modulo clock snapshots.
See PacketStreamValidator and its unit test for more details.
At the moment nothing prevents that a producer writes TracePacket(s) that do not belong to its data sources. Realistically the service will never prevent that because doing so would imply that the service knows about all the possible types of packets, which doesn't scale.
However, the service appends the POSIX uid of the producer to each TracePacket to perform offline attestation of the contents of the trace.