sepolicy: Allow prefetch to open/read rootfs
Prefetch attempts to improve the boot time by preloading files
from disk in advance, saving Disk I/O time. For this, it needs
read access for rootfs from SELinux.
Prefetch monitors and records ftrace event for page cache addition
to identify which files are accessed during boot, but ftrace only
reports inode for a file. To resolve file paths from inodes,
prefetch need to walk through a directory tree to create a lookup
table from inodes to file path.
Because directory walking starts from `/`, prefetch is unable to make a
lookup table without an access to `rootfs:dir`. This CL grants
that access.
By allowing `rootfs:dir`, the prefetch will improve boot time by
300-1000ms depending on devices.
Bug: 380766679
Test: reboot until `prefetch.pack` is made, then
`prefetch dump --paths prefetch.pack --format csv`
Test: `setprop ctl.start prefetch_replay`, and then
`dmesg | grep avc: `. no prefetch denial visible on logs
Change-Id: I85b894910833561dab953e3b18884106472b949f
diff --git a/private/prefetch.te b/private/prefetch.te
index 21287f3..69008b5 100644
--- a/private/prefetch.te
+++ b/private/prefetch.te
@@ -22,3 +22,7 @@
-init
-shell
} ctl_prefetch_prop:property_service set;
+
+# Allow rootfs so prefetch can walk through directory tree and
+# create a map of inodes -> file path.
+allow prefetch rootfs:dir { open read search getattr };