Policies for profcollectd

Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6

private/coredomain.te

@@ -64,6 +64,7 @@ full_treble_only(`
         -init
         -installd
         userdebug_or_eng(`-heapprofd')
+        userdebug_or_eng(`-profcollectd')
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -110,6 +111,7 @@ full_treble_only(`
         -webview_zygote
         -zygote
         userdebug_or_eng(`-heapprofd')
+        userdebug_or_eng(`-profcollectd')
     } vendor_overlay_file:file open;
 ')
 
@@ -159,6 +161,7 @@ full_treble_only(`
     -shell
     -system_server
     -traceur_app
+    userdebug_or_eng(`-profcollectd')
   } debugfs_tracing:file no_rw_file_perms;
 
   # inotifyfs

private/domain.te

@@ -112,6 +112,7 @@ neverallow {
   userdebug_or_eng(`-llkd')
   -dumpstate
   userdebug_or_eng(`-incidentd')
+  userdebug_or_eng(`-profcollectd')
   -storaged
   -system_server
 } self:global_capability_class_set sys_ptrace;
@@ -375,6 +376,7 @@ full_treble_only(`
     -bootanim
     -crash_dump
     -heapprofd
+    userdebug_or_eng(`-profcollectd')
     -init
     -iorap_inode2filename
     -iorap_prefetcherd
@@ -416,6 +418,7 @@ full_treble_only(`
     -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     userdebug_or_eng(`-heapprofd')
+    userdebug_or_eng(`-profcollectd')
     -shell
     -system_executes_vendor_violators
     -traced_perf # library/binary access for symbolization

private/file_contexts

@@ -314,6 +314,7 @@
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/profcollectd         u:object_r:profcollectd_exec:s0
+/system/bin/profcollectctl       u:object_r:profcollectd_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0

private/profcollectd.te

@@ -5,10 +5,35 @@ type profcollectd_exec, system_file_type, exec_type, file_type;
 userdebug_or_eng(`
   init_daemon_domain(profcollectd)
 
-  # profcollectd opens a file for writing in /data/misc/profcollectd
+  # profcollectd opens a file for writing in /data/misc/profcollectd.
   allow profcollectd profcollectd_data_file:file create_file_perms;
   allow profcollectd profcollectd_data_file:dir rw_dir_perms;
 
+  # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
+  allow profcollectd self:perf_event { cpu kernel open read write };
+
+  # Allow profcollectd to scan through /proc/pid for all processes.
+  r_dir_file(profcollectd, domain)
+
+  # Allow profcollectd to read executable binaries.
+  allow profcollectd system_file_type:file r_file_perms;
+  allow profcollectd vendor_file_type:file r_file_perms;
+
+  # Allow profcollectd to access tracefs.
+  allow profcollectd debugfs_tracing:dir r_dir_perms;
+  allow profcollectd debugfs_tracing:file rw_file_perms;
+  allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
+  allow profcollectd debugfs_tracing_debug:file rw_file_perms;
+
+  # Allow profcollectd to write to perf_event_paranoid under /proc.
+  allow profcollectd proc_perf:file write;
+
+  # Allow profcollectd to access cs_etm sysfs.
+  r_dir_file(profcollectd, sysfs_devices_cs_etm)
+
+  # Allow profcollectd to ptrace.
+  allow profcollectd self:global_capability_class_set sys_ptrace;
+
   # Allow profcollectd to publish a binder service and make binder calls.
   binder_use(profcollectd)
   add_service(profcollectd, profcollectd_service)

private/shell.te

@@ -86,6 +86,9 @@ allowxperm shell shell_data_file:dir ioctl {
 # Allow shell to execute simpleperf without a domain transition.
 allow shell simpleperf_exec:file rx_file_perms;
 
+# Allow shell to execute profcollectctl without a domain transition.
+allow shell profcollectd_exec:file rx_file_perms;
+
 # Allow shell to call perf_event_open for profiling other shell processes, but
 # not the whole system.
 allow shell self:perf_event { open read write kernel };

private/system_server.te

@@ -215,6 +215,7 @@ binder_call(system_server, incidentd)
 binder_call(system_server, iorapd)
 binder_call(system_server, netd)
 binder_call(system_server, notify_traceur)
+userdebug_or_eng(`binder_call(system_server, profcollectd)')
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
 binder_call(system_server, update_engine)