platform_system_sepolicy/public/perfprofd.te
Benjamin Gordon 342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00

119 lines
4.4 KiB
Text

# perfprofd - perf profile collection daemon
type perfprofd, domain;
type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
# perfprofd access to sysfs directory structure.
allow perfprofd sysfs_type:dir search;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
# this means read access to /sys/devices/system/cpu/possible
# and read/write access to /sys/devices/system/cpu/cpu*/online
allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
# perfprofd checks for the existence of and then invokes simpleperf;
# simpleperf retains perfprofd domain after exec
allow perfprofd system_file:file rx_file_perms;
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
allow perfprofd { privapp_data_file app_data_file }:dir search;
allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
allow perfprofd perfprofd_data_file:dir rw_dir_perms;
# perfprofd uses the system log
read_logd(perfprofd);
write_logd(perfprofd);
# perfprofd inspects /sys/power/wake_unlock
wakelock_use(perfprofd);
# perfprofd looks at thermals.
allow perfprofd sysfs_thermal:dir r_dir_perms;
# perfprofd gets charging status.
hal_client_domain(perfprofd, hal_health)
# simpleperf reads kernel notes.
allow perfprofd sysfs_kernel_notes:file r_file_perms;
# Simpleperf & perfprofd query a range of proc stats.
allow perfprofd proc_loadavg:file r_file_perms;
allow perfprofd proc_stat:file r_file_perms;
allow perfprofd proc_modules:file r_file_perms;
# simpleperf writes to perf_event_paranoid under /proc.
allow perfprofd proc_perf:file write;
# Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
dontaudit perfprofd proc_security:file *;
# simpleperf uses ioctl() to turn on kernel perf events measurements
allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
# to see whether it has a build ID
allow perfprofd exec_type:file r_file_perms;
# App & ART artifacts.
r_dir_file(perfprofd, apk_data_file)
r_dir_file(perfprofd, dalvikcache_data_file)
# Vendor libraries.
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)
# simpleperf examines debugfs on startup to collect tracepoint event types
r_dir_file(perfprofd, debugfs_tracing)
r_dir_file(perfprofd, debugfs_tracing_debug)
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;
# simpleperf is going to execute "mv" on a temp file
allow perfprofd shell_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:global_capability_class_set ipc_lock;
# simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
# use the fallback cwd code, do not spam the log. But ensure this is correctly
# removed at some point. b/70232908.
dontaudit perfprofd shell_data_file:dir *;
dontaudit perfprofd shell_data_file:file *;
# Allow perfprofd to publish a binder service and make binder calls.
binder_use(perfprofd)
add_service(perfprofd, perfprofd_service)
# Use devpts for streams from cmd.
#
# This is normally granted to binderservicedomain, but this service
# has tighter restrictions on the callers (see below), so must enable
# this manually.
allow perfprofd devpts:chr_file rw_file_perms;
# Use socket & pipe supplied by su, for cmd perfprofd dump.
allow perfprofd su:unix_stream_socket { read write getattr sendto };
allow perfprofd su:fifo_file r_file_perms;
# Allow perfprofd to submit to dropbox.
allow perfprofd dropbox_service:service_manager find;
binder_call(perfprofd, system_server)
')