From c8fe29ff1e3d7aa93b2849afb0faebd8cdbadf73 Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Fri, 30 Mar 2018 13:10:35 -0700
Subject: [PATCH] Selinux: Fix perfprofd policy

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661
---
 public/perfprofd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/perfprofd.te b/public/perfprofd.te
index 494e75bed..f067af5d4 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -82,10 +82,12 @@ userdebug_or_eng(`
 
   # simpleperf examines debugfs on startup to collect tracepoint event types
   r_dir_file(perfprofd, debugfs_tracing)
-  allow perfprofd debugfs_tracing_debug:file r_file_perms;
+  r_dir_file(perfprofd, debugfs_tracing_debug)
 
   # simpleperf is going to execute "sleep"
   allow perfprofd toolbox_exec:file rx_file_perms;
+  # simpleperf is going to execute "mv" on a temp file
+  allow perfprofd shell_exec:file rx_file_perms;
 
   # needed for simpleperf on some kernels
   allow perfprofd self:global_capability_class_set ipc_lock;