Don't allow other processes to ptrace simpleperf domain
This prevents using run-as and other processes to ptrace
simpleperf domain.
Also remove simpleperf from untrusted_app_domain.
Bug: 390626125
Test: run CtsSimpleperfTestCases
Change-Id: I72008fa4b2c2e900423e31d6d752f0b773b0c425
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 6fff07c..46769cb 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -21,7 +21,6 @@
# consistent if simpleperf is marked as an app domain as well (as, for example,
# it will then see the same set of system libraries as the app).
app_domain(simpleperf)
-untrusted_app_domain(simpleperf)
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
@@ -45,7 +44,23 @@
# not allowed to see.
dontaudit simpleperf domain:dir search;
+# Allow simpleperf to read apk files and libraries executed by the app.
+r_dir_file(simpleperf, privapp_data_file);
+r_dir_file(simpleperf, app_data_file);
+allow simpleperf { apk_tmp_file apk_private_tmp_file }:file { getattr read };
+allow simpleperf system_linker_exec:file r_file_perms;
+allow simpleperf app_exec_data_file:file r_file_perms;
+allow simpleperf asec_public_file:file r_file_perms;
+r_dir_file(simpleperf, vendor_app_file);
+
+# Allow simpleperf to read input files passed from adb shell.
+allow simpleperf shell_data_file:file r_file_perms;
+allow simpleperf shell_data_file:dir r_dir_perms;
+
# Neverallows:
# Profiling must be confined to the scope of an individual app.
neverallow simpleperf self:perf_event ~{ open read write kernel };
+# Never allow other processes to ptrace simpleperf, as this could leak sensitive infomation from
+# raw samples.
+neverallow { domain -crash_dump -llkd } simpleperf:process ptrace;