Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ffa0dd93f33cc8d3c2a448de50db6497cdde1089^! / . / private / untrusted_app_all.te
commitffa0dd93f33cc8d3c2a448de50db6497cdde1089[log] [tgz]
authorRyan Savitski <rsavitski@google.com>Fri Jan 10 19:02:43 2020 +0000
committerRyan Savitski <rsavitski@google.com>Wed Jan 15 16:56:41 2020 +0000
treedc1251c6cd415541f0e2397128ca16d6a991119b
parentedc513c8c17dbd411a5439d398015ae7fdf2cb14 [diff] [blame]
perf_event: rules for system and simpleperf domain

This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
                            untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)

simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.

runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).

system-wide profiling is effectively constrained to "su" on debug
builds.

See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.

Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d8e0b14..769ddb0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -168,3 +168,8 @@
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
 ')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;