Reland "runas/shell.te: remove {kernel} to perf_event_open"
This reverts commit 1b3cf9171a549200154dae5a6e5b3998efbcfa9d.
Also allow transferring from runas_app domain to simpleperf domain,
when executing /system/bin/simpleperf in run-as.
Bug: 390626125
Test: run CtsSimpleperfTestCases
Change-Id: I78aa529b3dafaeebc1531069d31c43992d659ba5
diff --git a/private/runas_app.te b/private/runas_app.te
index 9142a19..88b4abb 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -17,9 +17,6 @@
allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
-# Allow executing system image simpleperf without a domain transition.
-allow runas_app simpleperf_exec:file rx_file_perms;
-
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective process, most of which this domain is not
@@ -28,8 +25,8 @@
# Allow runas_app to call perf_event_open for profiling debuggable app
# processes, but not the whole system.
-allow runas_app self:perf_event { open read write kernel };
-neverallow runas_app self:perf_event ~{ open read write kernel };
+allow runas_app self:perf_event { open read write };
+neverallow runas_app self:perf_event ~{ open read write };
# Suppress bionic loader denial /data/local/tests directories.
dontaudit runas_app shell_test_data_file:dir search;