Add sepolicy for simpleperf_boot.

simpleperf_boot is the secontext used to run simpleperf from init, to generate boot-time profiles. Bug: 214731005 Test: run simpleperf manually Change-Id: I6f37515681f4963faf84cb1059a8d5845c2fe5a5
2021-11-24 14:06:07 -08:00 · 2021-11-24 14:06:07 -08:00 · f17fb4270c
commit f17fb4270c
parent d6a5b604ce
4 changed files with 67 additions and 0 deletions
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -76,6 +76,7 @@ full_treble_only(`
        userdebug_or_eng(`-profcollectd')
        -postinstall_dexopt
        -rs # spawned by appdomain, so carryover the exception above
+        userdebug_or_eng(`-simpleperf_boot')
        -system_server
        -traced_perf
        -mediaserver
@ -121,6 +122,7 @@ full_treble_only(`
        -zygote
        -heapprofd
        userdebug_or_eng(`-profcollectd')
+        userdebug_or_eng(`-simpleperf_boot')
    } vendor_overlay_file:file open;
 ')

@ -176,6 +178,7 @@ full_treble_only(`
    -system_server
    -traceur_app
    userdebug_or_eng(`-profcollectd')
+    userdebug_or_eng(`-simpleperf_boot')
  } debugfs_tracing:file no_rw_file_perms;

  # inotifyfs
--- a/private/domain.te
+++ b/private/domain.te
@ -121,6 +121,7 @@ neverallow {
  -dumpstate
  userdebug_or_eng(`-incidentd')
  userdebug_or_eng(`-profcollectd')
+  userdebug_or_eng(`-simpleperf_boot')
  -storaged
  -system_server
 } self:global_capability_class_set sys_ptrace;
@ -456,6 +457,7 @@ full_treble_only(`
    -iorap_inode2filename
    -iorap_prefetcherd
    -kernel
+    userdebug_or_eng(`-simpleperf_boot')
    -traced_perf
    -ueventd
  } vendor_file:file { no_w_file_perms no_x_file_perms open };
@ -496,6 +498,7 @@ full_treble_only(`
    -heapprofd
    userdebug_or_eng(`-profcollectd')
    -shell
+    userdebug_or_eng(`-simpleperf_boot')
    -system_executes_vendor_violators
    -traced_perf # library/binary access for symbolization
    -ueventd # reads /vendor/ueventd.rc
@ -547,6 +550,7 @@ neverallow {
  -init
  userdebug_or_eng(`-profcollectd')
  -vendor_init
+  userdebug_or_eng(`-simpleperf_boot')
  -traced_probes
  -traced_perf
 } proc_kallsyms:file { open read };
--- a/private/property.te
+++ b/private/property.te
@ -557,6 +557,7 @@ neverallow {
  domain
  -init
  userdebug_or_eng(`-profcollectd')
+  userdebug_or_eng(`-simpleperf_boot')
  userdebug_or_eng(`-traced_probes')
  userdebug_or_eng(`-traced_perf')
 } {
--- a/private/simpleperf_boot.te
+++ b/private/simpleperf_boot.te
@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+  domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+  # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+  allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+  allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+  # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+  allow simpleperf_boot self:perf_event { cpu kernel open read write };
+  allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+  # Allow simpleperf_boot to scan through /proc/pid for all processes.
+  r_dir_file(simpleperf_boot, domain)
+
+  # Allow simpleperf_boot to read executable binaries.
+  allow simpleperf_boot system_file_type:file r_file_perms;
+  allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+  # Allow simpleperf_boot to search for and read kernel modules.
+  allow simpleperf_boot vendor_file:dir r_dir_perms;
+  allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+  # Allow simpleperf_boot to read system bootstrap libs.
+  allow simpleperf_boot system_bootstrap_lib_file:dir search;
+  allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+  # Allow simpleperf_boot to access tracefs.
+  allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+  allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+  allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+  allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+  # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+  allow simpleperf_boot proc_perf:file write;
+
+  # Allow simpleperf_boot to read process maps.
+  allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+  # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+  allow simpleperf_boot { system_server zygote }:process ptrace;
+
+  # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+  # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+  set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+  allow simpleperf_boot proc_kallsyms:file r_file_perms;
+  allow simpleperf_boot proc_modules:file r_file_perms;
+
+  # Allow simpleperf_boot to read kernel build id.
+  allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+  dontaudit simpleperf_boot shell_data_file:dir search;
+')