From a87a13f16ca7317f2be5387ef0ad4b8083702af0 Mon Sep 17 00:00:00 2001
From: Yu-Ting Tseng <yutingtseng@google.com>
Date: Fri, 17 Nov 2023 17:07:57 -0800
Subject: [PATCH] Update uprobestats SELinux policy

The changes include
- allow binder calls to ActivityManager and NativePackageManager
- allow binder calls from system server
- allow writes of statsd atoms
- allow init to start uprobestats
- permission for uprobestats config files and propery
- allow execution of oatdump so it can look up code offsets
- allow scanning /proc.

Test: m selinux_policy
Change-Id: Id1864b7dac3a2c5dcd8736c4932778e36b658ce3
---
 apex/com.android.art-file_contexts |  1 +
 contexts/plat_file_contexts_test   |  2 ++
 private/file.te                    |  6 ++++++
 private/file_contexts              |  1 +
 private/property.te                |  1 +
 private/property_contexts          |  1 +
 private/statsd.te                  |  7 +++++++
 private/system_server.te           |  1 +
 private/uprobestats.te             | 25 +++++++++++++++++++++++--
 9 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index ada6c3b3b..83d081ac9 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -9,4 +9,5 @@
 /bin/dexoptanalyzer            u:object_r:dexoptanalyzer_exec:s0
 /bin/odrefresh                 u:object_r:odrefresh_exec:s0
 /bin/profman                   u:object_r:profman_exec:s0
+/bin/oatdump                   u:object_r:oatdump_exec:s0
 /lib(64)?(/.*)?                u:object_r:system_lib_file:s0
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 54dc1f325..e003d65b1 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1269,3 +1269,5 @@
 /product/bin/otapreopt_script                                     postinstall_exec
 /system/bin/otapreopt                                             postinstall_dexopt_exec
 /product/bin/otapreopt                                            postinstall_dexopt_exec
+/data/misc/uprobestats-configs                                    uprobestats_configs_data_file
+/data/misc/uprobestats-configs/test                               uprobestats_configs_data_file
diff --git a/private/file.te b/private/file.te
index f4c3e2dd4..de2581d3c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -28,6 +28,12 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc/uprobestats-configs for uprobestats configs
+type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type;
+
+# /apex/com.android.art/bin/oatdump
+type oatdump_exec, system_file_type, exec_type, file_type;
+
 # /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
 type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
diff --git a/private/file_contexts b/private/file_contexts
index 3cfbaf0ee..1fdeb14d9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -663,6 +663,7 @@
 /data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
 /data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
 /data/misc/perfetto-configs(/.*)?         u:object_r:perfetto_configs_data_file:s0
+/data/misc/uprobestats-configs(/.*)?      u:object_r:uprobestats_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
 /data/misc/radio(/.*)?          u:object_r:radio_core_data_file:s0
diff --git a/private/property.te b/private/property.te
index ff0b693b6..20a93751f 100644
--- a/private/property.te
+++ b/private/property.te
@@ -45,6 +45,7 @@ system_internal_prop(snapuserd_prop)
 system_internal_prop(system_adbd_prop)
 system_internal_prop(timezone_metadata_prop)
 system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(uprobestats_start_with_config_prop)
 system_internal_prop(tuner_server_ctl_prop)
 system_internal_prop(userspace_reboot_log_prop)
 system_internal_prop(userspace_reboot_test_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 4166c5509..11fa4adc9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -87,6 +87,7 @@ persist.traced.enable   u:object_r:traced_enabled_prop:s0
 traced.lazy.            u:object_r:traced_lazy_prop:s0
 persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
 persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+uprobestats.start_with_config u:object_r:uprobestats_start_with_config_prop:s0
 persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ril.cdma.inecmmode      u:object_r:radio_cdma_ecm_prop:s0 exact bool
diff --git a/private/statsd.te b/private/statsd.te
index 59948fffb..051b99ec8 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,3 +28,10 @@ binder_call(statsd, surfaceflinger);
 # Allow statsd to read its system properties
 get_prop(statsd, device_config_statsd_native_prop)
 get_prop(statsd, device_config_statsd_native_boot_prop)
+
+# Allow statsd to write uprobestats configs.
+allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
+allow statsd uprobestats_configs_data_file:file create_file_perms;
+
+# Allow statsd to trigger uprobestats via property.
+set_prop(statsd, uprobestats_start_with_config_prop);
diff --git a/private/system_server.te b/private/system_server.te
index 474a7b6dc..982e1f3bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -302,6 +302,7 @@ binder_call(system_server, virtual_camera)
 binder_call(system_server, vold)
 binder_call(system_server, logd)
 binder_call(system_server, wificond)
+binder_call(system_server, uprobestats)
 binder_service(system_server)
 
 # Use HALs
diff --git a/private/uprobestats.te b/private/uprobestats.te
index f2a4ae3bc..78595f6af 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -4,8 +4,8 @@ typeattribute uprobestats bpfdomain;
 
 type uprobestats_exec, system_file_type, exec_type, file_type;
 
-# Allow uprobestats to be invoked by statsd.
-domain_auto_trans(statsd, uprobestats_exec, uprobestats)
+# Allow init to start uprobestats.
+init_daemon_domain(uprobestats)
 
 allow uprobestats fs_bpf_uprobe_private:file { read write };
 allow uprobestats fs_bpf_uprobe_private:dir search;
@@ -14,3 +14,24 @@ allow uprobestats self:capability2 perfmon;
 allow uprobestats self:perf_event { cpu open write };
 allow uprobestats sysfs_uprobe:file { open read };
 allow uprobestats sysfs_uprobe:dir { search };
+
+# Allow uprobestats to popen oatdump.
+allow uprobestats oatdump_exec:file rx_file_perms;
+
+# Allow uprobestats to write atoms to statsd
+unix_socket_send(uprobestats, statsdw, statsd)
+
+# For registration with system server as a process observer.
+binder_use(uprobestats)
+allow uprobestats activity_service:service_manager find;
+binder_call(uprobestats, system_server);
+
+# Allow uprobestats to talk to native package manager
+allow uprobestats package_native_service:service_manager find;
+
+# Allow uprobestats to scan /proc/<pid>/cmdline.
+r_dir_file(uprobestats, { domain -appdomain })
+
+# Allow uprobestats to manage its own config files.
+allow uprobestats uprobestats_configs_data_file:dir rw_dir_perms;
+allow uprobestats uprobestats_configs_data_file:file { r_file_perms unlink };