commit 1b3cf9171a549200154dae5a6e5b3998efbcfa9d
author Priyanka Advani (xWF) <padvani@google.com> Fri Jan 24 10:08:49 2025 -0800
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jan 24 10:08:49 2025 -0800
tree e5c5de5cbb205e8039618ec138d12849de9fc8b7
parent 6c9a13f387662128f4c984f253cd71aa0b1ce4dd

Revert "runas/shell.te: remove {kernel} to perf_event_open"

This reverts commit 6c9a13f387662128f4c984f253cd71aa0b1ce4dd.

Reason for revert: Droidmonitor created revert due to b/392093609. Will be verifying through ABTD before submission.

Change-Id: Ifdefd9d211686babb923ae62d0f5ece59bfd540a

private/runas_app.te

diff --git a/private/runas_app.te b/private/runas_app.te
index 63ce178..9142a19 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -28,8 +28,8 @@
 
 # Allow runas_app to call perf_event_open for profiling debuggable app
 # processes, but not the whole system.
-allow runas_app self:perf_event { open read write };
-neverallow runas_app self:perf_event ~{ open read write };
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
 
 # Suppress bionic loader denial /data/local/tests directories.
 dontaudit runas_app shell_test_data_file:dir search;

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 3e45e1f..2033f7e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -142,7 +142,7 @@
 
 # Allow shell to call perf_event_open for profiling other shell processes, but
 # not the whole system.
-allow shell self:perf_event { open read write };
+allow shell self:perf_event { open read write kernel };
 
 # Allow shell to read microdroid vendor image
 r_dir_file(shell, vendor_microdroid_file)