platform_system_sepolicy/public/perfprofd.te
Tri Vo 90cf5a7fb3 same_process_hal_file: access to individual coredomains
Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-26 18:03:01 +00:00

121 lines
4.5 KiB
Text

# perfprofd - perf profile collection daemon
type perfprofd, domain;
type perfprofd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
# perfprofd access to sysfs directory structure.
allow perfprofd sysfs_type:dir search;
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
# this means read access to /sys/devices/system/cpu/possible
# and read/write access to /sys/devices/system/cpu/cpu*/online
allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
# perfprofd checks for the existence of and then invokes simpleperf;
# simpleperf retains perfprofd domain after exec
allow perfprofd system_file:file rx_file_perms;
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
allow perfprofd { privapp_data_file app_data_file }:dir search;
allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
allow perfprofd perfprofd_data_file:dir rw_dir_perms;
# perfprofd uses the system log
read_logd(perfprofd);
write_logd(perfprofd);
# perfprofd inspects /sys/power/wake_unlock
wakelock_use(perfprofd);
# perfprofd looks at thermals.
allow perfprofd sysfs_thermal:dir r_dir_perms;
# perfprofd gets charging status.
hal_client_domain(perfprofd, hal_health)
# simpleperf reads kernel notes.
allow perfprofd sysfs_kernel_notes:file r_file_perms;
# Simpleperf & perfprofd query a range of proc stats.
allow perfprofd proc_loadavg:file r_file_perms;
allow perfprofd proc_stat:file r_file_perms;
allow perfprofd proc_modules:file r_file_perms;
# simpleperf writes to perf_event_paranoid under /proc.
allow perfprofd proc_perf:file write;
# Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
dontaudit perfprofd proc_security:file *;
# simpleperf uses ioctl() to turn on kernel perf events measurements
allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
# to see whether it has a build ID
allow perfprofd exec_type:file r_file_perms;
# App & ART artifacts.
r_dir_file(perfprofd, apk_data_file)
r_dir_file(perfprofd, dalvikcache_data_file)
# Vendor libraries.
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
# SP HAL files.
r_dir_file(perfprofd, same_process_hal_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)
# simpleperf examines debugfs on startup to collect tracepoint event types
r_dir_file(perfprofd, debugfs_tracing)
r_dir_file(perfprofd, debugfs_tracing_debug)
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;
# simpleperf is going to execute "mv" on a temp file
allow perfprofd shell_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:global_capability_class_set ipc_lock;
# simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
# use the fallback cwd code, do not spam the log. But ensure this is correctly
# removed at some point. b/70232908.
dontaudit perfprofd shell_data_file:dir *;
dontaudit perfprofd shell_data_file:file *;
# Allow perfprofd to publish a binder service and make binder calls.
binder_use(perfprofd)
add_service(perfprofd, perfprofd_service)
# Use devpts for streams from cmd.
#
# This is normally granted to binderservicedomain, but this service
# has tighter restrictions on the callers (see below), so must enable
# this manually.
allow perfprofd devpts:chr_file rw_file_perms;
# Use socket & pipe supplied by su, for cmd perfprofd dump.
allow perfprofd su:unix_stream_socket { read write getattr sendto };
allow perfprofd su:fifo_file r_file_perms;
# Allow perfprofd to submit to dropbox.
allow perfprofd dropbox_service:service_manager find;
binder_call(perfprofd, system_server)
')