From e40d6760589855f59f30d5c1b5a3d9fa47e9c29b Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Tue, 5 Dec 2017 10:54:38 -0800
Subject: [PATCH] Sepolicy: Update rules for perfprofd

Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915
---
 private/domain.te   |  2 +-
 public/domain.te    |  2 ++
 public/perfprofd.te | 30 +++++++++++++++++++++++++++++-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index 663c5418f..e181988f9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,7 +72,7 @@ full_treble_only(`
     userdebug_or_eng(`-atrace')
     -dumpstate
     -init
-    -perfprofd
+    userdebug_or_eng(`-perfprofd')
     -shell
     -vendor_init
   } debugfs_tracing:file no_rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 0d50c38f9..ffbb54d68 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -762,6 +762,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
         -vendor_init
@@ -774,6 +775,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
         -vendor_init
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 457196903..28465929f 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -33,9 +33,26 @@ userdebug_or_eng(`
   # perfprofd inspects /sys/power/wake_unlock
   wakelock_use(perfprofd);
 
+  # perfprofd looks at thermals.
+  allow perfprofd sysfs_thermal:dir r_dir_perms;
+
+  # perfprofd checks power_supply.
+  r_dir_file(perfprofd, sysfs_batteryinfo)
+
   # simpleperf reads kernel notes.
   allow perfprofd sysfs_kernel_notes:file r_file_perms;
 
+  # Simpleperf & perfprofd query a range of proc stats.
+  allow perfprofd proc_loadavg:file r_file_perms;
+  allow perfprofd proc_stat:file r_file_perms;
+  allow perfprofd proc_modules:file r_file_perms;
+
+  # simpleperf writes to perf_event_paranoid under /proc.
+  allow perfprofd proc_perf:file write;
+
+  # Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
+  dontaudit perfprofd proc_security:file *;
+
   # simpleperf uses ioctl() to turn on kernel perf events measurements
   allow perfprofd self:global_capability_class_set sys_admin;
 
@@ -49,9 +66,20 @@ userdebug_or_eng(`
   # simpleperf needs open/read any file that turns up in a profile
   # to see whether it has a build ID
   allow perfprofd exec_type:file r_file_perms;
+  # App & ART artifacts.
+  r_dir_file(perfprofd, apk_data_file)
+  r_dir_file(perfprofd, dalvikcache_data_file)
+  # Vendor libraries.
+  r_dir_file(perfprofd, vendor_file)
+  # Vendor apps.
+  r_dir_file(perfprofd, vendor_app_file)
+
+  # simpleperf will set security.perf_harden to enable access to perf_event_open()
+  set_prop(perfprofd, shell_prop)
 
   # simpleperf examines debugfs on startup to collect tracepoint event types
-  allow perfprofd debugfs_tracing:file r_file_perms;
+  r_dir_file(perfprofd, debugfs_tracing)
+  allow perfprofd debugfs_tracing_debug:file r_file_perms;
 
   # simpleperf is going to execute "sleep"
   allow perfprofd toolbox_exec:file rx_file_perms;
-- 
GitLab