Merge "Add permissions in profcollectd to parse kernel etm data." am: 006c740746
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1646266 Change-Id: I8c13782b40c0c2af0dc4f8556f239e2079e49f42
This commit is contained in:
commit
fcdbb8c1f8
4 changed files with 26 additions and 11 deletions
|
@ -498,3 +498,15 @@ neverallow {
|
|||
-vendor_init
|
||||
-dumpstate
|
||||
} mm_events_config_prop:file no_rw_file_perms;
|
||||
|
||||
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
|
||||
# kernel traces. Addresses are not disclosed, they are repalced with symbol
|
||||
# names (if available). Traces don't disclose KASLR.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
-vendor_init
|
||||
-traced_probes
|
||||
-traced_perf
|
||||
} proc_kallsyms:file { open read };
|
||||
|
|
|
@ -19,6 +19,10 @@ userdebug_or_eng(`
|
|||
allow profcollectd system_file_type:file r_file_perms;
|
||||
allow profcollectd vendor_file_type:file r_file_perms;
|
||||
|
||||
# Allow profcollectd to search for and read kernel modules.
|
||||
allow profcollectd vendor_file:dir r_dir_perms;
|
||||
allow profcollectd vendor_kernel_modules:file r_file_perms;
|
||||
|
||||
# Allow profcollectd to read system bootstrap libs.
|
||||
allow profcollectd system_bootstrap_lib_file:dir search;
|
||||
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
|
||||
|
@ -45,4 +49,13 @@ userdebug_or_eng(`
|
|||
# Allow profcollectd to publish a binder service and make binder calls.
|
||||
binder_use(profcollectd)
|
||||
add_service(profcollectd, profcollectd_service)
|
||||
|
||||
# Allow to temporarily lift the kptr_restrict setting and get kernel start address
|
||||
# by reading /proc/kallsyms, get module start address by reading /proc/modules.
|
||||
set_prop(profcollectd, lower_kptr_restrict_prop)
|
||||
allow profcollectd proc_kallsyms:file r_file_perms;
|
||||
allow profcollectd proc_modules:file r_file_perms;
|
||||
|
||||
# Allow profcollectd to read kernel build id.
|
||||
allow profcollectd sysfs_kernel_notes:file r_file_perms;
|
||||
')
|
||||
|
|
|
@ -533,6 +533,7 @@ neverallow {
|
|||
neverallow {
|
||||
domain
|
||||
-init
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
userdebug_or_eng(`-traced_probes')
|
||||
userdebug_or_eng(`-traced_perf')
|
||||
} {
|
||||
|
|
|
@ -446,17 +446,6 @@ neverallow { domain -init } usermodehelper:file { append write };
|
|||
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
|
||||
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
|
||||
|
||||
# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
|
||||
# kernel traces. Addresses are not disclosed, they are repalced with symbol
|
||||
# names (if available). Traces don't disclose KASLR.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-vendor_init
|
||||
-traced_probes
|
||||
-traced_perf
|
||||
} proc_kallsyms:file { open read };
|
||||
|
||||
# Init can't do anything with binder calls. If this neverallow rule is being
|
||||
# triggered, it's probably due to a service with no SELinux domain.
|
||||
neverallow * init:binder *;
|
||||
|
|
Loading…
Reference in a new issue