Policies for profcollectd
Bug: 79161490
Test: run profcollect with enforcing
Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
diff --git a/private/coredomain.te b/private/coredomain.te
index a4ab7e7..b3986ea 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -64,6 +64,7 @@
-init
-installd
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -110,6 +111,7 @@
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-profcollectd')
} vendor_overlay_file:file open;
')
@@ -159,6 +161,7 @@
-shell
-system_server
-traceur_app
+ userdebug_or_eng(`-profcollectd')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/domain.te b/private/domain.te
index 7f73b5b..3669d76 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,7 @@
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
+ userdebug_or_eng(`-profcollectd')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -375,6 +376,7 @@
-bootanim
-crash_dump
-heapprofd
+ userdebug_or_eng(`-profcollectd')
-init
-iorap_inode2filename
-iorap_prefetcherd
@@ -416,6 +418,7 @@
-iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-profcollectd')
-shell
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
diff --git a/private/file_contexts b/private/file_contexts
index 5cc5b9b..9479b0b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -314,6 +314,7 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
+/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 6b861af..82cfad0 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -5,10 +5,35 @@
userdebug_or_eng(`
init_daemon_domain(profcollectd)
- # profcollectd opens a file for writing in /data/misc/profcollectd
+ # profcollectd opens a file for writing in /data/misc/profcollectd.
allow profcollectd profcollectd_data_file:file create_file_perms;
allow profcollectd profcollectd_data_file:dir rw_dir_perms;
+ # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
+ allow profcollectd self:perf_event { cpu kernel open read write };
+
+ # Allow profcollectd to scan through /proc/pid for all processes.
+ r_dir_file(profcollectd, domain)
+
+ # Allow profcollectd to read executable binaries.
+ allow profcollectd system_file_type:file r_file_perms;
+ allow profcollectd vendor_file_type:file r_file_perms;
+
+ # Allow profcollectd to access tracefs.
+ allow profcollectd debugfs_tracing:dir r_dir_perms;
+ allow profcollectd debugfs_tracing:file rw_file_perms;
+ allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
+ allow profcollectd debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow profcollectd to write to perf_event_paranoid under /proc.
+ allow profcollectd proc_perf:file write;
+
+ # Allow profcollectd to access cs_etm sysfs.
+ r_dir_file(profcollectd, sysfs_devices_cs_etm)
+
+ # Allow profcollectd to ptrace.
+ allow profcollectd self:global_capability_class_set sys_ptrace;
+
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
diff --git a/private/shell.te b/private/shell.te
index 090adb2..a392665 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -86,6 +86,9 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
+# Allow shell to execute profcollectctl without a domain transition.
+allow shell profcollectd_exec:file rx_file_perms;
+
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
diff --git a/private/system_server.te b/private/system_server.te
index 8191b6a..58ccc18 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -215,6 +215,7 @@
binder_call(system_server, iorapd)
binder_call(system_server, netd)
binder_call(system_server, notify_traceur)
+userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)