private/traced_perf.te

# Performance profiler, backed by perf_event_open(2).
# See go/perfetto-perf-android.
typeattribute traced_perf coredomain;
typeattribute traced_perf mlstrustedsubject;

type traced_perf_exec, system_file_type, exec_type, file_type;

init_daemon_domain(traced_perf)
perfetto_producer(traced_perf)

# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
# profiling, but retain samples only for profileable processes.
# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
# check (which would require a process:attach SELinux allow-rule).
allow traced_perf self:perf_event { open cpu kernel read write tracepoint };

# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
# sampled stacks, which requires opening the backing libraries/executables (as
# symbols are usually not mapped into the process space). Not all such files
# are world-readable, e.g. odex files that included user profiles during
# profile-guided optimization.
allow traced_perf self:capability { kill dac_read_search };

# Allow reading /system/data/packages.list.
allow traced_perf packages_list_file:file r_file_perms;

# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
# ART apex files and directory access to the containing /data/misc/apexdata.
r_dir_file(traced_perf, apex_art_data_file)
allow traced_perf apex_module_data_file:dir { getattr search };

# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
# from init, as well as separately opening and locking the file for
# coordinating the use of that shared fd.
# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
allow traced_perf proc_kallsyms:file { open read lock };

# Allow reading tracefs files to get the format and numeric ids of tracepoints.
allow traced_perf debugfs_tracing:dir r_dir_perms;
allow traced_perf debugfs_tracing:file r_file_perms;
userdebug_or_eng(`
  allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
  allow traced_perf debugfs_tracing_debug:file r_file_perms;
')

# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };

# Do not audit failures to signal a process, as there are cases when this is
# expected (native processes on debug builds use the policy for enforcing which
# processes are profileable).
dontaudit traced_perf domain:process signal;

# Never allow access to app data files
neverallow traced_perf app_data_file_type:file *;

# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
never_profile_perf(`{
  apexd
  app_zygote
  bpfloader
  hal_configstore_server
  init
  kernel
  keystore
  llkd
  logd
  ueventd
  vendor_init
  vold
  webview_zygote
  zygote
}')