commit ff43be2ca9dcc80711fc14e0bfb847951f677243
author Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree bf5e839c17d58df2298c811dbf18624f24b48133
parent b50e0fabe77f1f16a9d1fd79cd351bef3834c77c

Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

microdroid/sepolicy/system/private/simpleperf.te

diff --git a/microdroid/sepolicy/system/private/simpleperf.te b/microdroid/sepolicy/system/private/simpleperf.te
new file mode 100644
index 0000000..0639c11
--- /dev/null
+++ b/microdroid/sepolicy/system/private/simpleperf.te
@@ -0,0 +1,37 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf untrusted_app_all:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, untrusted_app_all)
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };