| Yabin Cui | f17fb42 | 2021-11-24 14:06:07 -0800 | [diff] [blame] | 1 | # Domain used when running /system/bin/simpleperf to record boot-time profiles. |
| 2 | # It is started by init process. It's only available on userdebug/eng build. |
| 3 | |
| 4 | type simpleperf_boot, domain, coredomain, mlstrustedsubject; |
| 5 | |
| 6 | # /data/simpleperf_boot_data, used to store boot-time profiles. |
| 7 | type simpleperf_boot_data_file, file_type; |
| 8 | |
| 9 | userdebug_or_eng(` |
| 10 | domain_auto_trans(init, simpleperf_exec, simpleperf_boot) |
| 11 | |
| 12 | # simpleperf_boot writes profile data to /data/simpleperf_boot_data. |
| 13 | allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms; |
| 14 | allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms; |
| 15 | |
| 16 | # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling. |
| 17 | allow simpleperf_boot self:perf_event { cpu kernel open read write }; |
| 18 | allow simpleperf_boot self:global_capability2_class_set perfmon; |
| 19 | |
| 20 | # Allow simpleperf_boot to scan through /proc/pid for all processes. |
| 21 | r_dir_file(simpleperf_boot, domain) |
| 22 | |
| 23 | # Allow simpleperf_boot to read executable binaries. |
| 24 | allow simpleperf_boot system_file_type:file r_file_perms; |
| 25 | allow simpleperf_boot vendor_file_type:file r_file_perms; |
| 26 | |
| 27 | # Allow simpleperf_boot to search for and read kernel modules. |
| 28 | allow simpleperf_boot vendor_file:dir r_dir_perms; |
| 29 | allow simpleperf_boot vendor_kernel_modules:file r_file_perms; |
| 30 | |
| 31 | # Allow simpleperf_boot to read system bootstrap libs. |
| 32 | allow simpleperf_boot system_bootstrap_lib_file:dir search; |
| 33 | allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms; |
| 34 | |
| 35 | # Allow simpleperf_boot to access tracefs. |
| 36 | allow simpleperf_boot debugfs_tracing:dir r_dir_perms; |
| 37 | allow simpleperf_boot debugfs_tracing:file rw_file_perms; |
| 38 | allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms; |
| 39 | allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms; |
| 40 | |
| 41 | # Allow simpleperf_boot to write to perf_event_paranoid under /proc. |
| 42 | allow simpleperf_boot proc_perf:file write; |
| 43 | |
| 44 | # Allow simpleperf_boot to read process maps. |
| 45 | allow simpleperf_boot self:global_capability_class_set sys_ptrace; |
| 46 | # Allow simpleperf_boot to read JIT debug info from system_server and zygote. |
| 47 | allow simpleperf_boot { system_server zygote }:process ptrace; |
| 48 | |
| 49 | # Allow to temporarily lift the kptr_restrict setting and get kernel start address |
| 50 | # by reading /proc/kallsyms, get module start address by reading /proc/modules. |
| 51 | set_prop(simpleperf_boot, lower_kptr_restrict_prop) |
| 52 | allow simpleperf_boot proc_kallsyms:file r_file_perms; |
| 53 | allow simpleperf_boot proc_modules:file r_file_perms; |
| 54 | |
| 55 | # Allow simpleperf_boot to read kernel build id. |
| 56 | allow simpleperf_boot sysfs_kernel_notes:file r_file_perms; |
| 57 | |
| 58 | dontaudit simpleperf_boot shell_data_file:dir search; |
| 59 | ') |