tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add sepolicy for simpleperf_boot." am: 40d41f7639

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1950977

Change-Id: I2026fb57ae608eea576e3fa24b9ca1f9b94df4df
This commit is contained in:
Yabin Cui 2022-01-25 00:41:21 +00:00 committed by Automerger Merge Worker
commit c70015e106
4 changed files with 67 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/coredomain.te
View file

@ -76,6 +76,7 @@ full_treble_only(`
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
-postinstall_dexopt -postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above -rs # spawned by appdomain, so carryover the exception above
userdebug_or_eng(`-simpleperf_boot')
-system_server -system_server
-traced_perf -traced_perf
-mediaserver -mediaserver
@ -121,6 +122,7 @@ full_treble_only(`
-zygote -zygote
-heapprofd -heapprofd
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open; } vendor_overlay_file:file open;
') ')
@ -176,6 +178,7 @@ full_treble_only(`
-system_server -system_server
-traceur_app -traceur_app
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms; } debugfs_tracing:file no_rw_file_perms;
# inotifyfs # inotifyfs

4
private/domain.te
View file

@ -121,6 +121,7 @@ neverallow {
-dumpstate -dumpstate
userdebug_or_eng(`-incidentd') userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
-storaged -storaged
-system_server -system_server
} self:global_capability_class_set sys_ptrace; } self:global_capability_class_set sys_ptrace;
@ -456,6 +457,7 @@ full_treble_only(`
-iorap_inode2filename -iorap_inode2filename
-iorap_prefetcherd -iorap_prefetcherd
-kernel -kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf -traced_perf
-ueventd -ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open }; } vendor_file:file { no_w_file_perms no_x_file_perms open };
@ -496,6 +498,7 @@ full_treble_only(`
-heapprofd -heapprofd
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
-shell -shell
userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators -system_executes_vendor_violators
-traced_perf # library/binary access for symbolization -traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc -ueventd # reads /vendor/ueventd.rc
@ -547,6 +550,7 @@ neverallow {
-init -init
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
-vendor_init -vendor_init
userdebug_or_eng(`-simpleperf_boot')
-traced_probes -traced_probes
-traced_perf -traced_perf
} proc_kallsyms:file { open read }; } proc_kallsyms:file { open read };

1
private/property.te
View file

@ -557,6 +557,7 @@ neverallow {
domain domain
-init -init
userdebug_or_eng(`-profcollectd') userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes') userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf') userdebug_or_eng(`-traced_perf')
} { } {

59
private/simpleperf_boot.te Normal file
View file

@ -0,0 +1,59 @@
# Domain used when running /system/bin/simpleperf to record boot-time profiles.
# It is started by init process. It's only available on userdebug/eng build.
type simpleperf_boot, domain, coredomain, mlstrustedsubject;
# /data/simpleperf_boot_data, used to store boot-time profiles.
type simpleperf_boot_data_file, file_type;
userdebug_or_eng(`
domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
# simpleperf_boot writes profile data to /data/simpleperf_boot_data.
allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
# Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
allow simpleperf_boot self:perf_event { cpu kernel open read write };
allow simpleperf_boot self:global_capability2_class_set perfmon;
# Allow simpleperf_boot to scan through /proc/pid for all processes.
r_dir_file(simpleperf_boot, domain)
# Allow simpleperf_boot to read executable binaries.
allow simpleperf_boot system_file_type:file r_file_perms;
allow simpleperf_boot vendor_file_type:file r_file_perms;
# Allow simpleperf_boot to search for and read kernel modules.
allow simpleperf_boot vendor_file:dir r_dir_perms;
allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
# Allow simpleperf_boot to read system bootstrap libs.
allow simpleperf_boot system_bootstrap_lib_file:dir search;
allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
# Allow simpleperf_boot to access tracefs.
allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
allow simpleperf_boot debugfs_tracing:file rw_file_perms;
allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
# Allow simpleperf_boot to write to perf_event_paranoid under /proc.
allow simpleperf_boot proc_perf:file write;
# Allow simpleperf_boot to read process maps.
allow simpleperf_boot self:global_capability_class_set sys_ptrace;
# Allow simpleperf_boot to read JIT debug info from system_server and zygote.
allow simpleperf_boot { system_server zygote }:process ptrace;
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
# by reading /proc/kallsyms, get module start address by reading /proc/modules.
set_prop(simpleperf_boot, lower_kptr_restrict_prop)
allow simpleperf_boot proc_kallsyms:file r_file_perms;
allow simpleperf_boot proc_modules:file r_file_perms;
# Allow simpleperf_boot to read kernel build id.
allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
dontaudit simpleperf_boot shell_data_file:dir search;
')