Merge "Sepolicy: Update rules for perfprofd"

am: 7e1d3882bc

Change-Id: I67f21eaf8714c5291818510e1676082410418100
This commit is contained in:
Andreas Gampe 2017-12-09 20:37:31 +00:00 committed by android-build-merger
commit d9ecc4cac3
3 changed files with 32 additions and 2 deletions

View file

@ -72,7 +72,7 @@ full_treble_only(`
userdebug_or_eng(`-atrace')
-dumpstate
-init
-perfprofd
userdebug_or_eng(`-perfprofd')
-shell
-vendor_init
} debugfs_tracing:file no_rw_file_perms;

View file

@ -762,6 +762,7 @@ full_treble_only(`
-idmap
-init
-installd
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
-vendor_init
@ -774,6 +775,7 @@ full_treble_only(`
-idmap
-init
-installd
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
-vendor_init

View file

@ -33,9 +33,26 @@ userdebug_or_eng(`
# perfprofd inspects /sys/power/wake_unlock
wakelock_use(perfprofd);
# perfprofd looks at thermals.
allow perfprofd sysfs_thermal:dir r_dir_perms;
# perfprofd checks power_supply.
r_dir_file(perfprofd, sysfs_batteryinfo)
# simpleperf reads kernel notes.
allow perfprofd sysfs_kernel_notes:file r_file_perms;
# Simpleperf & perfprofd query a range of proc stats.
allow perfprofd proc_loadavg:file r_file_perms;
allow perfprofd proc_stat:file r_file_perms;
allow perfprofd proc_modules:file r_file_perms;
# simpleperf writes to perf_event_paranoid under /proc.
allow perfprofd proc_perf:file write;
# Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
dontaudit perfprofd proc_security:file *;
# simpleperf uses ioctl() to turn on kernel perf events measurements
allow perfprofd self:global_capability_class_set sys_admin;
@ -49,9 +66,20 @@ userdebug_or_eng(`
# simpleperf needs open/read any file that turns up in a profile
# to see whether it has a build ID
allow perfprofd exec_type:file r_file_perms;
# App & ART artifacts.
r_dir_file(perfprofd, apk_data_file)
r_dir_file(perfprofd, dalvikcache_data_file)
# Vendor libraries.
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)
# simpleperf examines debugfs on startup to collect tracepoint event types
allow perfprofd debugfs_tracing:file r_file_perms;
r_dir_file(perfprofd, debugfs_tracing)
allow perfprofd debugfs_tracing_debug:file r_file_perms;
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;