You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
122 lines
4.5 KiB
122 lines
4.5 KiB
# perfprofd - perf profile collection daemon
|
|
type perfprofd, domain;
|
|
type perfprofd_exec, system_file_type, exec_type, file_type;
|
|
|
|
userdebug_or_eng(`
|
|
|
|
typeattribute perfprofd coredomain;
|
|
typeattribute perfprofd mlstrustedsubject;
|
|
|
|
# perfprofd access to sysfs directory structure.
|
|
allow perfprofd sysfs_type:dir search;
|
|
|
|
# perfprofd needs to control CPU hot-plug in order to avoid kernel
|
|
# perfevents problems in cases where CPU goes on/off during measurement;
|
|
# this means read access to /sys/devices/system/cpu/possible
|
|
# and read/write access to /sys/devices/system/cpu/cpu*/online
|
|
allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
|
|
|
|
# perfprofd checks for the existence of and then invokes simpleperf;
|
|
# simpleperf retains perfprofd domain after exec
|
|
allow perfprofd system_file:file rx_file_perms;
|
|
|
|
# perfprofd reads a config file from /data/data/com.google.android.gms/files
|
|
allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
|
|
allow perfprofd { privapp_data_file app_data_file }:dir search;
|
|
allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
# perfprofd opens a file for writing in /data/misc/perfprofd
|
|
allow perfprofd perfprofd_data_file:file create_file_perms;
|
|
allow perfprofd perfprofd_data_file:dir rw_dir_perms;
|
|
|
|
# perfprofd uses the system log
|
|
read_logd(perfprofd);
|
|
write_logd(perfprofd);
|
|
|
|
# perfprofd inspects /sys/power/wake_unlock
|
|
wakelock_use(perfprofd);
|
|
|
|
# perfprofd looks at thermals.
|
|
allow perfprofd sysfs_thermal:dir r_dir_perms;
|
|
|
|
# perfprofd gets charging status.
|
|
hal_client_domain(perfprofd, hal_health)
|
|
|
|
# simpleperf reads kernel notes.
|
|
allow perfprofd sysfs_kernel_notes:file r_file_perms;
|
|
|
|
# Simpleperf & perfprofd query a range of proc stats.
|
|
allow perfprofd proc_loadavg:file r_file_perms;
|
|
allow perfprofd proc_stat:file r_file_perms;
|
|
allow perfprofd proc_modules:file r_file_perms;
|
|
|
|
# simpleperf writes to perf_event_paranoid under /proc.
|
|
allow perfprofd proc_perf:file write;
|
|
|
|
# Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
|
|
dontaudit perfprofd proc_security:file *;
|
|
|
|
# simpleperf uses ioctl() to turn on kernel perf events measurements
|
|
allow perfprofd self:global_capability_class_set sys_admin;
|
|
|
|
# simpleperf needs to examine /proc to collect task/thread info
|
|
r_dir_file(perfprofd, domain)
|
|
|
|
# simpleperf needs to access /proc/<pid>/exec
|
|
allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
|
|
neverallow perfprofd domain:process ptrace;
|
|
|
|
# simpleperf needs open/read any file that turns up in a profile
|
|
# to see whether it has a build ID
|
|
allow perfprofd exec_type:file r_file_perms;
|
|
# App & ART artifacts.
|
|
r_dir_file(perfprofd, apk_data_file)
|
|
r_dir_file(perfprofd, dalvikcache_data_file)
|
|
# Vendor libraries.
|
|
r_dir_file(perfprofd, vendor_file)
|
|
# Vendor apps.
|
|
r_dir_file(perfprofd, vendor_app_file)
|
|
# SP HAL files.
|
|
r_dir_file(perfprofd, same_process_hal_file)
|
|
|
|
# simpleperf will set security.perf_harden to enable access to perf_event_open()
|
|
set_prop(perfprofd, shell_prop)
|
|
|
|
# simpleperf examines debugfs on startup to collect tracepoint event types
|
|
r_dir_file(perfprofd, debugfs_tracing)
|
|
r_dir_file(perfprofd, debugfs_tracing_debug)
|
|
|
|
# simpleperf is going to execute "sleep"
|
|
allow perfprofd toolbox_exec:file rx_file_perms;
|
|
# simpleperf is going to execute "mv" on a temp file
|
|
allow perfprofd shell_exec:file rx_file_perms;
|
|
|
|
# needed for simpleperf on some kernels
|
|
allow perfprofd self:global_capability_class_set ipc_lock;
|
|
|
|
# simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
|
|
# use the fallback cwd code, do not spam the log. But ensure this is correctly
|
|
# removed at some point. b/70232908.
|
|
dontaudit perfprofd shell_data_file:dir *;
|
|
dontaudit perfprofd shell_data_file:file *;
|
|
|
|
# Allow perfprofd to publish a binder service and make binder calls.
|
|
binder_use(perfprofd)
|
|
add_service(perfprofd, perfprofd_service)
|
|
|
|
# Use devpts for streams from cmd.
|
|
#
|
|
# This is normally granted to binderservicedomain, but this service
|
|
# has tighter restrictions on the callers (see below), so must enable
|
|
# this manually.
|
|
allow perfprofd devpts:chr_file rw_file_perms;
|
|
|
|
# Use socket & pipe supplied by su, for cmd perfprofd dump.
|
|
allow perfprofd su:unix_stream_socket { read write getattr sendto };
|
|
allow perfprofd su:fifo_file r_file_perms;
|
|
|
|
# Allow perfprofd to submit to dropbox.
|
|
allow perfprofd dropbox_service:service_manager find;
|
|
binder_call(perfprofd, system_server)
|
|
')
|