Merge "Add permissions in profcollectd to parse kernel etm data." am: 006c740746

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1646266

Change-Id: I8c13782b40c0c2af0dc4f8556f239e2079e49f42
This commit is contained in:
Yabin Cui 2021-04-09 17:48:45 +00:00 committed by Automerger Merge Worker
commit fcdbb8c1f8
4 changed files with 26 additions and 11 deletions

View file

@ -498,3 +498,15 @@ neverallow {
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };

View file

@ -19,6 +19,10 @@ userdebug_or_eng(`
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
# Allow profcollectd to search for and read kernel modules.
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
# Allow profcollectd to read system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@ -45,4 +49,13 @@ userdebug_or_eng(`
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
# by reading /proc/kallsyms, get module start address by reading /proc/modules.
set_prop(profcollectd, lower_kptr_restrict_prop)
allow profcollectd proc_kallsyms:file r_file_perms;
allow profcollectd proc_modules:file r_file_perms;
# Allow profcollectd to read kernel build id.
allow profcollectd sysfs_kernel_notes:file r_file_perms;
')

View file

@ -533,6 +533,7 @@ neverallow {
neverallow {
domain
-init
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {

View file

@ -446,17 +446,6 @@ neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
# kernel traces. Addresses are not disclosed, they are repalced with symbol
# names (if available). Traces don't disclose KASLR.
neverallow {
domain
-init
-vendor_init
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;