From 41a18f5bf396a88f2cf1088f799ee6f3920fb0a6 Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Wed, 30 Jun 2021 11:54:41 -0700
Subject: [PATCH 1/2] simpleperf_app_runner: move rules to private.

Bug: 192404394
Test: build
Change-Id: Icef1ebdd59668b31a07ac0a5aea30a87eac1da45
---
 private/simpleperf_app_runner.te | 42 ++++++++++++++++++++++++++++++++
 public/simpleperf_app_runner.te  | 42 --------------------------------
 2 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 850182605..17fd8cdc2 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -1,3 +1,45 @@
 typeattribute simpleperf_app_runner coredomain;
 
 domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 2ed007e10..3719d9f4d 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -1,44 +1,2 @@
 type simpleperf_app_runner, domain, mlstrustedsubject;
 type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;

From 26de4c4ecc1fa0229052b6c3a255ef0ae7c85bdd Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Wed, 30 Jun 2021 17:20:09 -0700
Subject: [PATCH 2/2] allow simpleperf to profile more app types.

So simpleperf can profile these apps when they are marked to be
profileable/debuggable.

Bug: 192404394
Test: build and run simpleperf to profile com.android.systemui.
Change-Id: Ia2defe725a8fafbcb6c2d20e771b343d8822ccbc
---
 private/simpleperf.te            | 20 +++++++++++++++++---
 private/simpleperf_app_runner.te |  2 +-
 private/untrusted_app_all.te     |  5 -----
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/private/simpleperf.te b/private/simpleperf.te
index 0639c1136..9c700600e 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,7 +5,16 @@
 typeattribute simpleperf coredomain;
 type simpleperf_exec, system_file_type, exec_type, file_type;
 
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
+define(`simpleperf_profileable_apps', `{
+  ephemeral_app
+  isolated_app
+  platform_app
+  priv_app
+  untrusted_app_all
+}')
+
+domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
 
 # When running in this domain, simpleperf is scoped to profiling an individual
 # app. The necessary MAC permissions for profiling are more maintainable and
@@ -16,14 +25,19 @@ untrusted_app_domain(simpleperf)
 
 # Allow ptrace attach to the target app, for reading JIT debug info (using
 # process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
+allow simpleperf simpleperf_profileable_apps:process ptrace;
 
 # Allow using perf_event_open syscall for profiling the target app.
 allow simpleperf self:perf_event { open read write kernel };
 
 # Allow /proc/<pid> access for the target app (for example, when trying to
 # discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
+r_dir_file(simpleperf, simpleperf_profileable_apps)
+
+# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow simpleperf_profileable_apps simpleperf:process signal;
 
 # Suppress denial logspam when simpleperf is trying to find a matching process
 # by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 17fd8cdc2..184a80a05 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -21,7 +21,7 @@ allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
 # simpleperf_app_runner switches to the app security context.
 selinux_check_context(simpleperf_app_runner) # validate context
 allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
 
 # simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
 # determine which domain to transition to.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6064c1453..f7dfdeba0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,8 +170,3 @@ userdebug_or_eng(`
   # according to the heuristic of lockdown.
   allow untrusted_app_all self:lockdown integrity;
 ')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;