Sepolicy: Introduce perfprofd binder service

Add policy for the perfprofd binder service. For now, only allow su to talk to it. Test: m Change-Id: I690f75460bf513cb326314cce633fa25453515d6
2017-12-22 13:05:28 -08:00 · 2017-12-22 13:05:28 -08:00 · aa9711f82b
commit aa9711f82b
parent 0b6856f59b
4 changed files with 21 additions and 0 deletions
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -27,6 +27,7 @@
    netd_stable_secret_prop
    network_watchlist_service
    package_native_service
+    perfprofd_service
    property_info
    slice_service
    stats
--- a/private/service_contexts
+++ b/private/service_contexts
@ -111,6 +111,7 @@ otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
 package                                   u:object_r:package_service:s0
 package_native                            u:object_r:package_native_service:s0
+perfprofd                                 u:object_r:perfprofd_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@ -96,4 +96,22 @@ userdebug_or_eng(`
  dontaudit perfprofd shell_data_file:dir *;
  dontaudit perfprofd shell_data_file:file *;

+  # Allow perfprofd to publish a binder service and make binder calls.
+  binder_use(perfprofd)
+  add_service(perfprofd, perfprofd_service)
+
+  # Use devpts for streams from cmd.
+  #
+  # This is normally granted to binderservicedomain, but this service
+  # has tighter restrictions on the callers (see below), so must enable
+  # this manually.
+  allow perfprofd devpts:chr_file rw_file_perms;
+
+  # Use socket & pipe supplied by su, for cmd perfprofd dump.
+  allow perfprofd su:unix_stream_socket { read write getattr sendto };
+  allow perfprofd su:fifo_file r_file_perms;
+
+  # For now, only allow su to communicate with us.
+  neverallow domain perfprofd:binder call;
+  neverallow perfprofd { domain -servicemanager -su }:binder call;
 ')
--- a/public/service.te
+++ b/public/service.te
@ -20,6 +20,7 @@ type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
+type perfprofd_service,         service_manager_type;
 type radio_service,             service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;