Merge "Combining hal_radio_*_service into hal_radio_service"
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..b193330 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +457,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +498,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +550,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
diff --git a/private/property.te b/private/property.te
index f63beb9..c9c811a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -557,6 +557,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init