platform_system_sepolicy/private/traced_perf.te
Ryan Savitski cfd767180d traced_perf sepolicy tweaks
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
  I've not caught any crashes in practice, but believe there's a
  possibility that the zygote forks while holding a non-whitelisted fd
  due to the signal handler.

Bug: 144281346
Merged-In: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
(cherry picked from commit 008465e5ec)
2020-02-28 15:04:43 +00:00

58 lines
2.2 KiB
Text

# Performance profiler, backed by perf_event_open(2).
# See go/perfetto-perf-android.
typeattribute traced_perf coredomain;
typeattribute traced_perf mlstrustedsubject;
type traced_perf_exec, system_file_type, exec_type, file_type;
init_daemon_domain(traced_perf)
perfetto_producer(traced_perf)
# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
# profiling, but retain samples only for profileable processes.
# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
# check (which would require a process:attach SELinux allow-rule).
allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
# sampled stacks, which requires opening the backing libraries/executables (as
# symbols are usually not mapped into the process space). Not all such files
# are world-readable, e.g. odex files that included user profiles during
# profile-guided optimization.
allow traced_perf self:capability { kill dac_read_search };
# Allow reading /system/data/packages.list.
allow traced_perf packages_list_file:file r_file_perms;
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
# Do not audit failures to signal a process, as there are cases when this is
# expected (native processes on debug builds use the policy for enforcing which
# processes are profileable).
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
# Never allow profiling highly privileged processes.
never_profile_heap(`{
bpfloader
init
kernel
keystore
llkd
logd
ueventd
vendor_init
vold
}')