commit 4ff061117003a818ff55f13ad8836b3e06bad87c
author Yabin Cui <yabinc@google.com> Mon Jan 27 15:01:28 2025 -0800
committer Yabin Cui <yabinc@google.com> Mon Jan 27 16:23:35 2025 -0800
tree cd2811c637bc3f9d1f5077bba149f4d4124f5e58
parent 52775c74544a2073c129f4eec9ad5e5348b2c1d9

Reland "runas/shell.te: remove {kernel} to perf_event_open"

This reverts commit 1b3cf9171a549200154dae5a6e5b3998efbcfa9d.

Also allow transferring from runas_app domain to simpleperf domain,
when executing /system/bin/simpleperf in run-as.

Bug: 390626125
Test: run CtsSimpleperfTestCases
Change-Id: I78aa529b3dafaeebc1531069d31c43992d659ba5

private/runas_app.te

diff --git a/private/runas_app.te b/private/runas_app.te
index 9142a19..88b4abb 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -17,9 +17,6 @@
 allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
 allow runas_app untrusted_app_all:unix_stream_socket connectto;
 
-# Allow executing system image simpleperf without a domain transition.
-allow runas_app simpleperf_exec:file rx_file_perms;
-
 # Suppress denial logspam when simpleperf is trying to find a matching process
 # by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
 # the same domain as their respective process, most of which this domain is not
@@ -28,8 +25,8 @@
 
 # Allow runas_app to call perf_event_open for profiling debuggable app
 # processes, but not the whole system.
-allow runas_app self:perf_event { open read write kernel };
-neverallow runas_app self:perf_event ~{ open read write kernel };
+allow runas_app self:perf_event { open read write };
+neverallow runas_app self:perf_event ~{ open read write };
 
 # Suppress bionic loader denial /data/local/tests directories.
 dontaudit runas_app shell_test_data_file:dir search;

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 2033f7e..3e45e1f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -142,7 +142,7 @@
 
 # Allow shell to call perf_event_open for profiling other shell processes, but
 # not the whole system.
-allow shell self:perf_event { open read write kernel };
+allow shell self:perf_event { open read write };
 
 # Allow shell to read microdroid vendor image
 r_dir_file(shell, vendor_microdroid_file)

private/simpleperf.te

diff --git a/private/simpleperf.te b/private/simpleperf.te
index 9c70060..6fff07c 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -14,7 +14,7 @@
   untrusted_app_all
 }')
 
-domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
+domain_auto_trans(simpleperf_profileable_apps, simpleperf_exec, simpleperf)
 
 # When running in this domain, simpleperf is scoped to profiling an individual
 # app. The necessary MAC permissions for profiling are more maintainable and