debian: Run tracing service under a dedicated user
Run the 'traced' daemon under a dedicated user under Debian so that
access to the consumer socket can be gated on being a member of the
'perfetto-traced' group.
Change-Id: Ib8a2f1a3a0e3b3aef50f400bde40fa5b182ef6a7
diff --git a/debian/changelog b/debian/changelog
index 6e2b4fc..40a8df5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+perfetto (9.0-1) unstable; urgency=medium
+
+ * Run traced under a dedicated system user account and set socket
+ permissions accordingly so that any user can write trace events, but
+ only the users in the "traced-consumer" group can read trace data.
+ * Update to debhelper 10.
+ * Bump version to match Perfetto release.
+
+ -- Sami Kyostila <skyostil@google.com> Mon, 9 Nov 2020 15:24:00 +0000
+
perfetto (0.1-1) unstable; urgency=medium
* Initial release
diff --git a/debian/compat b/debian/compat
index ec63514..f599e28 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-9
+10
diff --git a/debian/control b/debian/control
index b16354f..be52af4 100644
--- a/debian/control
+++ b/debian/control
@@ -1,16 +1,16 @@
Source: perfetto
-Section: unknown
+Section: kernel
Priority: optional
Maintainer: Sami Kyostila <skyostil@google.com>
-Build-Depends: debhelper (>= 9)
+Build-Depends: debhelper (>= 10)
Standards-Version: 3.9.8
-Homepage: https://android.googlesource.com/platform/external/perfetto/
+Homepage: https://perfetto.dev
Vcs-Git: https://android.googlesource.com/platform/external/perfetto/
Vcs-Browser: https://android.googlesource.com/platform/external/perfetto/
Package: perfetto
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Performance instrumentation and logging for POSIX platforms
+Description: Performance instrumentation and logging framework
Perfetto is a performance instrumentation and logging framework for POSIX
systems.
diff --git a/debian/postinst b/debian/postinst
new file mode 100755
index 0000000..c32e828
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+adduser --quiet --system --no-create-home --group traced
+addgroup --quiet --system traced-consumer
+usermod -a -G traced-consumer traced
diff --git a/debian/postrm b/debian/postrm
new file mode 100755
index 0000000..20c9767
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+rm -f /tmp/perfetto-consumer /tmp/perfetto-producer
diff --git a/debian/traced-probes.service b/debian/traced-probes.service
index 3209123..81a23f7 100644
--- a/debian/traced-probes.service
+++ b/debian/traced-probes.service
@@ -1,5 +1,5 @@
[Unit]
-Description=Perfetto probes daemon
+Description=Perfetto data sources for system tracing (ftrace and /proc pollers)
[Service]
ExecStart=/usr/sbin/traced_probes
diff --git a/debian/traced.service b/debian/traced.service
index b082e9c..6eb7d8a 100644
--- a/debian/traced.service
+++ b/debian/traced.service
@@ -1,10 +1,11 @@
[Unit]
-Description=Perfetto trace daemon
+Description=Perfetto tracing service daemon
[Service]
-ExecStart=/usr/sbin/traced
-User=nobody
-Group=nogroup
+ExecStart=/usr/sbin/traced \
+ --set-socket-permissions traced:0666:traced-consumer:0660
+User=traced
+Group=traced
PrivateTmp=no
PrivateDevices=yes
PrivateNetwork=yes