From 38d0247da007fda16a30c34d48a551387f7b01c2 Mon Sep 17 00:00:00 2001 From: Than McIntosh Date: Thu, 30 Apr 2015 15:27:36 -0400 Subject: [PATCH] New sepolicy for perfprofd, simpleperf. Bug: http://b/19483574 (cherry picked from commit 0fdd364e8986c2fab6a8556590bcc67018892124) Change-Id: If29946a5d7f92522f3bbb807cea5f9f1b42a6513 --- file_contexts | 2 ++ perfprofd.te | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 perfprofd.te diff --git a/file_contexts b/file_contexts index a83b2905f..48fbb5a48 100644 --- a/file_contexts +++ b/file_contexts @@ -160,6 +160,8 @@ /system/bin/racoon u:object_r:racoon_exec:s0 /system/xbin/su u:object_r:su_exec:s0 /system/xbin/procrank u:object_r:procrank_exec:s0 +/system/xbin/perfprofd u:object_r:perfprofd_exec:s0 +/system/xbin/simpleperf u:object_r:system_file:s0 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 /system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 /system/bin/hostapd u:object_r:hostapd_exec:s0 diff --git a/perfprofd.te b/perfprofd.te new file mode 100644 index 000000000..30b438b30 --- /dev/null +++ b/perfprofd.te @@ -0,0 +1,45 @@ +# perfprofd - perf profile collection daemon +type perfprofd_exec, exec_type, file_type; + +userdebug_or_eng(` + + type perfprofd, domain, mlstrustedsubject; + + init_daemon_domain(perfprofd) + + # perfprofd needs to control CPU hot-plug in order to avoid kernel + # perfevents problems in cases where CPU goes on/off during measurement; + # this means read access to /sys/devices/system/cpu/possible + # and read/write access to /sys/devices/system/cpu/cpu*/online + allow perfprofd sysfs_devices_system_cpu:file rw_file_perms; + + # perfprofd checks for the existence of and then invokes simpleperf; + # simpleperf retains perfprofd domain after exec + allow perfprofd system_file:file rx_file_perms; + + # perfprofd reads a config file from /data/data/com.google.android.gms/files + # opens a file for writing in the same directory + allow perfprofd app_data_file:file rw_file_perms; + allow perfprofd app_data_file:dir rw_dir_perms; + + # perfprofd looks for the existence of a semaphore file to determine + # whether collection is enabled/disabled (where the semphore file is + # created by some other entity, e.g. gms) + allow perfprofd app_data_file:dir search; + allow perfprofd self:capability { dac_override }; + + # perfprofd reads profiles from /data/data/..., encodes them, + # and then dumps the encoded profiles back to /data/data/.... + allow perfprofd app_data_file:dir_file_class_set create_file_perms; + + # perfprofd uses the system log + read_logd(perfprofd); + write_logd(perfprofd); + + # simpleperf uses ioctl() to turn on kernel perf events measurements + allow perfprofd self:capability sys_admin; + + # simpleperf is going to execute "sleep" + allow perfprofd toolbox_exec:file x_file_perms; + +')