private/simpleperf.te - android_system_sepolicy - Gitiles

 # Domain used when running /system/bin/simpleperf to profile a specific app.
 # Entered either by the app itself exec-ing the binary, or through
 # simpleperf_app_runner (with shell as its origin). Certain other domains
 # (runas_app, shell) can also exec this binary without a domain transition.
 typeattribute simpleperf coredomain;
 type simpleperf_exec, system_file_type, exec_type, file_type;

 # Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
 define(`simpleperf_profileable_apps', `{
   ephemeral_app
   isolated_app
   platform_app
   priv_app
   untrusted_app_all
 }')

 domain_auto_trans(simpleperf_profileable_apps, simpleperf_exec, simpleperf)

 # When running in this domain, simpleperf is scoped to profiling an individual
 # app. The necessary MAC permissions for profiling are more maintainable and
 # consistent if simpleperf is marked as an app domain as well (as, for example,
 # it will then see the same set of system libraries as the app).
 app_domain(simpleperf)

 # Allow ptrace attach to the target app, for reading JIT debug info (using
 # process_vm_readv) during unwinding and symbolization.
 allow simpleperf simpleperf_profileable_apps:process ptrace;

 # Allow using perf_event_open syscall for profiling the target app.
 allow simpleperf self:perf_event { open read write kernel };

 # Allow /proc/<pid> access for the target app (for example, when trying to
 # discover it by cmdline).
 r_dir_file(simpleperf, simpleperf_profileable_apps)

 # Allow apps signalling simpleperf domain, which is the domain that the simpleperf
 # profiler runs as when executed by the app. The signals are used to control
 # the profiler (which would be profiling the app that is sending the signal).
 allow simpleperf_profileable_apps simpleperf:process signal;

 # Suppress denial logspam when simpleperf is trying to find a matching process
 # by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
 # the same domain as their respective processes, most of which this domain is
 # not allowed to see.
 dontaudit simpleperf domain:dir search;

 # Allow simpleperf to read apk files and libraries executed by the app.
 r_dir_file(simpleperf, privapp_data_file);
 r_dir_file(simpleperf, app_data_file);
 allow simpleperf { apk_tmp_file apk_private_tmp_file }:file { getattr read };
 allow simpleperf system_linker_exec:file r_file_perms;
 allow simpleperf app_exec_data_file:file r_file_perms;
 allow simpleperf asec_public_file:file r_file_perms;
 r_dir_file(simpleperf, vendor_app_file);

 # Allow simpleperf to read input files passed from adb shell.
 allow simpleperf shell_data_file:file r_file_perms;
 allow simpleperf shell_data_file:dir r_dir_perms;

 # Neverallows:

 # Profiling must be confined to the scope of an individual app.
 neverallow simpleperf self:perf_event ~{ open read write kernel };
 # Never allow other processes to ptrace simpleperf, as this could leak sensitive infomation from
 # raw samples.
 neverallow { domain -crash_dump -llkd } simpleperf:process ptrace;
	# Domain used when running /system/bin/simpleperf to profile a specific app.
	# Entered either by the app itself exec-ing the binary, or through
	# simpleperf_app_runner (with shell as its origin). Certain other domains
	# (runas_app, shell) can also exec this binary without a domain transition.
	typeattribute simpleperf coredomain;
	type simpleperf_exec, system_file_type, exec_type, file_type;

	# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
	define(`simpleperf_profileable_apps', `{
	ephemeral_app
	isolated_app
	platform_app
	priv_app
	untrusted_app_all
	}')

	domain_auto_trans(simpleperf_profileable_apps, simpleperf_exec, simpleperf)

	# When running in this domain, simpleperf is scoped to profiling an individual
	# app. The necessary MAC permissions for profiling are more maintainable and
	# consistent if simpleperf is marked as an app domain as well (as, for example,
	# it will then see the same set of system libraries as the app).
	app_domain(simpleperf)

	# Allow ptrace attach to the target app, for reading JIT debug info (using
	# process_vm_readv) during unwinding and symbolization.
	allow simpleperf simpleperf_profileable_apps:process ptrace;

	# Allow using perf_event_open syscall for profiling the target app.
	allow simpleperf self:perf_event { open read write kernel };

	# Allow /proc/<pid> access for the target app (for example, when trying to
	# discover it by cmdline).
	r_dir_file(simpleperf, simpleperf_profileable_apps)

	# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
	# profiler runs as when executed by the app. The signals are used to control
	# the profiler (which would be profiling the app that is sending the signal).
	allow simpleperf_profileable_apps simpleperf:process signal;

	# Suppress denial logspam when simpleperf is trying to find a matching process
	# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
	# the same domain as their respective processes, most of which this domain is
	# not allowed to see.
	dontaudit simpleperf domain:dir search;

	# Allow simpleperf to read apk files and libraries executed by the app.
	r_dir_file(simpleperf, privapp_data_file);
	r_dir_file(simpleperf, app_data_file);
	allow simpleperf { apk_tmp_file apk_private_tmp_file }:file { getattr read };
	allow simpleperf system_linker_exec:file r_file_perms;
	allow simpleperf app_exec_data_file:file r_file_perms;
	allow simpleperf asec_public_file:file r_file_perms;
	r_dir_file(simpleperf, vendor_app_file);

	# Allow simpleperf to read input files passed from adb shell.
	allow simpleperf shell_data_file:file r_file_perms;
	allow simpleperf shell_data_file:dir r_dir_perms;

	# Neverallows:

	# Profiling must be confined to the scope of an individual app.
	neverallow simpleperf self:perf_event ~{ open read write kernel };
	# Never allow other processes to ptrace simpleperf, as this could leak sensitive infomation from
	# raw samples.
	neverallow { domain -crash_dump -llkd } simpleperf:process ptrace;