1*e4a36f41SAndroid Build Coastguard Worker# perfprofd - perf profile collection daemon 2*e4a36f41SAndroid Build Coastguard Workertype perfprofd, domain; 3*e4a36f41SAndroid Build Coastguard Workertype perfprofd_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker typeattribute perfprofd coredomain; 8*e4a36f41SAndroid Build Coastguard Worker typeattribute perfprofd mlstrustedsubject; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker # perfprofd access to sysfs directory structure. 11*e4a36f41SAndroid Build Coastguard Worker allow perfprofd sysfs_type:dir search; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker # perfprofd needs to control CPU hot-plug in order to avoid kernel 14*e4a36f41SAndroid Build Coastguard Worker # perfevents problems in cases where CPU goes on/off during measurement; 15*e4a36f41SAndroid Build Coastguard Worker # this means read access to /sys/devices/system/cpu/possible 16*e4a36f41SAndroid Build Coastguard Worker # and read/write access to /sys/devices/system/cpu/cpu*/online 17*e4a36f41SAndroid Build Coastguard Worker allow perfprofd sysfs_devices_system_cpu:file rw_file_perms; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker # perfprofd checks for the existence of and then invokes simpleperf; 20*e4a36f41SAndroid Build Coastguard Worker # simpleperf retains perfprofd domain after exec 21*e4a36f41SAndroid Build Coastguard Worker allow perfprofd system_file:file rx_file_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker # perfprofd reads a config file from /data/data/com.google.android.gms/files 24*e4a36f41SAndroid Build Coastguard Worker allow perfprofd { privapp_data_file app_data_file }:file r_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker allow perfprofd { privapp_data_file app_data_file }:dir search; 26*e4a36f41SAndroid Build Coastguard Worker allow perfprofd self:global_capability_class_set { dac_override dac_read_search }; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker # perfprofd opens a file for writing in /data/misc/perfprofd 29*e4a36f41SAndroid Build Coastguard Worker allow perfprofd perfprofd_data_file:file create_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker allow perfprofd perfprofd_data_file:dir rw_dir_perms; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker # perfprofd uses the system log 33*e4a36f41SAndroid Build Coastguard Worker read_logd(perfprofd); 34*e4a36f41SAndroid Build Coastguard Worker write_logd(perfprofd); 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker # perfprofd inspects /sys/power/wake_unlock 37*e4a36f41SAndroid Build Coastguard Worker wakelock_use(perfprofd); 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker # perfprofd looks at thermals. 40*e4a36f41SAndroid Build Coastguard Worker allow perfprofd sysfs_thermal:dir r_dir_perms; 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker # perfprofd gets charging status. 43*e4a36f41SAndroid Build Coastguard Worker hal_client_domain(perfprofd, hal_health) 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker # simpleperf reads kernel notes. 46*e4a36f41SAndroid Build Coastguard Worker allow perfprofd sysfs_kernel_notes:file r_file_perms; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker # Simpleperf & perfprofd query a range of proc stats. 49*e4a36f41SAndroid Build Coastguard Worker allow perfprofd proc_loadavg:file r_file_perms; 50*e4a36f41SAndroid Build Coastguard Worker allow perfprofd proc_stat:file r_file_perms; 51*e4a36f41SAndroid Build Coastguard Worker allow perfprofd proc_modules:file r_file_perms; 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker # simpleperf writes to perf_event_paranoid under /proc. 54*e4a36f41SAndroid Build Coastguard Worker allow perfprofd proc_perf:file write; 55*e4a36f41SAndroid Build Coastguard Worker 56*e4a36f41SAndroid Build Coastguard Worker # Simpleperf: kptr_restrict. This would be required to dump kernel symbols. 57*e4a36f41SAndroid Build Coastguard Worker dontaudit perfprofd proc_security:file *; 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Worker # simpleperf uses ioctl() to turn on kernel perf events measurements 60*e4a36f41SAndroid Build Coastguard Worker allow perfprofd self:global_capability_class_set sys_admin; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Worker # simpleperf needs to examine /proc to collect task/thread info 63*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, domain) 64*e4a36f41SAndroid Build Coastguard Worker 65*e4a36f41SAndroid Build Coastguard Worker # simpleperf needs to access /proc/<pid>/exec 66*e4a36f41SAndroid Build Coastguard Worker allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace }; 67*e4a36f41SAndroid Build Coastguard Worker neverallow perfprofd domain:process ptrace; 68*e4a36f41SAndroid Build Coastguard Worker 69*e4a36f41SAndroid Build Coastguard Worker # simpleperf needs open/read any file that turns up in a profile 70*e4a36f41SAndroid Build Coastguard Worker # to see whether it has a build ID 71*e4a36f41SAndroid Build Coastguard Worker allow perfprofd exec_type:file r_file_perms; 72*e4a36f41SAndroid Build Coastguard Worker # App & ART artifacts. 73*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, apk_data_file) 74*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, dalvikcache_data_file) 75*e4a36f41SAndroid Build Coastguard Worker # Vendor libraries. 76*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, vendor_file) 77*e4a36f41SAndroid Build Coastguard Worker # Vendor apps. 78*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, vendor_app_file) 79*e4a36f41SAndroid Build Coastguard Worker # SP HAL files. 80*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, same_process_hal_file) 81*e4a36f41SAndroid Build Coastguard Worker 82*e4a36f41SAndroid Build Coastguard Worker # simpleperf will set security.perf_harden to enable access to perf_event_open() 83*e4a36f41SAndroid Build Coastguard Worker set_prop(perfprofd, shell_prop) 84*e4a36f41SAndroid Build Coastguard Worker 85*e4a36f41SAndroid Build Coastguard Worker # simpleperf examines debugfs on startup to collect tracepoint event types 86*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, debugfs_tracing) 87*e4a36f41SAndroid Build Coastguard Worker r_dir_file(perfprofd, debugfs_tracing_debug) 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker # simpleperf is going to execute "sleep" 90*e4a36f41SAndroid Build Coastguard Worker allow perfprofd toolbox_exec:file rx_file_perms; 91*e4a36f41SAndroid Build Coastguard Worker # simpleperf is going to execute "mv" on a temp file 92*e4a36f41SAndroid Build Coastguard Worker allow perfprofd shell_exec:file rx_file_perms; 93*e4a36f41SAndroid Build Coastguard Worker 94*e4a36f41SAndroid Build Coastguard Worker # needed for simpleperf on some kernels 95*e4a36f41SAndroid Build Coastguard Worker allow perfprofd self:global_capability_class_set ipc_lock; 96*e4a36f41SAndroid Build Coastguard Worker 97*e4a36f41SAndroid Build Coastguard Worker # simpleperf attempts to put a temp file into /data/local/tmp. Do not allow, 98*e4a36f41SAndroid Build Coastguard Worker # use the fallback cwd code, do not spam the log. But ensure this is correctly 99*e4a36f41SAndroid Build Coastguard Worker # removed at some point. b/70232908. 100*e4a36f41SAndroid Build Coastguard Worker dontaudit perfprofd shell_data_file:dir *; 101*e4a36f41SAndroid Build Coastguard Worker dontaudit perfprofd shell_data_file:file *; 102*e4a36f41SAndroid Build Coastguard Worker 103*e4a36f41SAndroid Build Coastguard Worker # Allow perfprofd to publish a binder service and make binder calls. 104*e4a36f41SAndroid Build Coastguard Worker binder_use(perfprofd) 105*e4a36f41SAndroid Build Coastguard Worker add_service(perfprofd, perfprofd_service) 106*e4a36f41SAndroid Build Coastguard Worker 107*e4a36f41SAndroid Build Coastguard Worker # Use devpts for streams from cmd. 108*e4a36f41SAndroid Build Coastguard Worker # 109*e4a36f41SAndroid Build Coastguard Worker # This is normally granted to binderservicedomain, but this service 110*e4a36f41SAndroid Build Coastguard Worker # has tighter restrictions on the callers (see below), so must enable 111*e4a36f41SAndroid Build Coastguard Worker # this manually. 112*e4a36f41SAndroid Build Coastguard Worker allow perfprofd devpts:chr_file rw_file_perms; 113*e4a36f41SAndroid Build Coastguard Worker 114*e4a36f41SAndroid Build Coastguard Worker # Use socket & pipe supplied by su, for cmd perfprofd dump. 115*e4a36f41SAndroid Build Coastguard Worker allow perfprofd su:unix_stream_socket { read write getattr sendto }; 116*e4a36f41SAndroid Build Coastguard Worker allow perfprofd su:fifo_file r_file_perms; 117*e4a36f41SAndroid Build Coastguard Worker 118*e4a36f41SAndroid Build Coastguard Worker # Allow perfprofd to submit to dropbox. 119*e4a36f41SAndroid Build Coastguard Worker allow perfprofd dropbox_service:service_manager find; 120*e4a36f41SAndroid Build Coastguard Worker binder_call(perfprofd, system_server) 121*e4a36f41SAndroid Build Coastguard Worker') 122