ffa0dd93f3
This patch adds the necessary rules to support the existing usage of perf_event_open by the system partition, which almost exclusively concerns the simpleperf profiler. A new domain is introduced for some (but not all) executions of the system image simpleperf. The following configurations are supported: * shell -> shell process (no domain transition) * shell -> debuggable app (through shell -> runas -> runas_app) * shell -> profileable app (through shell -> simpleperf_app_runner -> untrusted_app -> simpleperf) * debuggable/profile app -> self (through untrusted_app -> simpleperf) simpleperf_app_runner still enters the untrusted_app domain immediately before exec to properly inherit the categories related to MLS. My understanding is that a direct transition would require modifying external/selinux and seapp_contexts as with "fromRunAs", which seems unnecessarily complex for this case. runas_app can still run side-loaded binaries and use perf_event_open, but it checks that the target app is exactly "debuggable" (profileability is insufficient). system-wide profiling is effectively constrained to "su" on debug builds. See go/perf-event-open-security for a more detailed explanation of the scenarios covered here. Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug Tested: manual simpleperf invocations on crosshatch-userdebug Bug: 137092007 Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066 |
||
---|---|---|
.. | ||
26.0 | ||
27.0 | ||
28.0 | ||
29.0 |