1*e4a36f41SAndroid Build Coastguard Worker# profcollectd - hardware profile collection daemon 2*e4a36f41SAndroid Build Coastguard Workertype profcollectd, domain, coredomain, mlstrustedsubject; 3*e4a36f41SAndroid Build Coastguard Workertype profcollectd_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 6*e4a36f41SAndroid Build Coastguard Worker init_daemon_domain(profcollectd) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker # profcollectd opens a file for writing in /data/misc/profcollectd. 9*e4a36f41SAndroid Build Coastguard Worker allow profcollectd profcollectd_data_file:file create_file_perms; 10*e4a36f41SAndroid Build Coastguard Worker allow profcollectd profcollectd_data_file:dir create_dir_perms; 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling. 13*e4a36f41SAndroid Build Coastguard Worker allow profcollectd self:perf_event { cpu kernel open read write }; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to scan through /proc/pid for all processes. 16*e4a36f41SAndroid Build Coastguard Worker r_dir_file(profcollectd, domain) 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to read executable binaries. 19*e4a36f41SAndroid Build Coastguard Worker allow profcollectd system_file_type:file r_file_perms; 20*e4a36f41SAndroid Build Coastguard Worker allow profcollectd vendor_file_type:file r_file_perms; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to search for and read kernel modules. 23*e4a36f41SAndroid Build Coastguard Worker allow profcollectd vendor_file:dir r_dir_perms; 24*e4a36f41SAndroid Build Coastguard Worker allow profcollectd vendor_kernel_modules:file r_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to read system bootstrap libs. 27*e4a36f41SAndroid Build Coastguard Worker allow profcollectd system_bootstrap_lib_file:dir search; 28*e4a36f41SAndroid Build Coastguard Worker allow profcollectd system_bootstrap_lib_file:file r_file_perms; 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to access tracefs. 31*e4a36f41SAndroid Build Coastguard Worker allow profcollectd debugfs_tracing:dir r_dir_perms; 32*e4a36f41SAndroid Build Coastguard Worker allow profcollectd debugfs_tracing:file rw_file_perms; 33*e4a36f41SAndroid Build Coastguard Worker allow profcollectd debugfs_tracing_debug:dir r_dir_perms; 34*e4a36f41SAndroid Build Coastguard Worker allow profcollectd debugfs_tracing_debug:file rw_file_perms; 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to write to perf_event_paranoid under /proc. 37*e4a36f41SAndroid Build Coastguard Worker allow profcollectd proc_perf:file write; 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to access cs_etm sysfs. 40*e4a36f41SAndroid Build Coastguard Worker r_dir_file(profcollectd, sysfs_devices_cs_etm) 41*e4a36f41SAndroid Build Coastguard Worker 42*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to ptrace. 43*e4a36f41SAndroid Build Coastguard Worker allow profcollectd self:global_capability_class_set sys_ptrace; 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to read its system properties. 46*e4a36f41SAndroid Build Coastguard Worker get_prop(profcollectd, device_config_profcollect_native_boot_prop) 47*e4a36f41SAndroid Build Coastguard Worker set_prop(profcollectd, profcollectd_node_id_prop) 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to publish a binder service and make binder calls. 50*e4a36f41SAndroid Build Coastguard Worker binder_use(profcollectd) 51*e4a36f41SAndroid Build Coastguard Worker add_service(profcollectd, profcollectd_service) 52*e4a36f41SAndroid Build Coastguard Worker 53*e4a36f41SAndroid Build Coastguard Worker # Allow to temporarily lift the kptr_restrict setting and get kernel start address 54*e4a36f41SAndroid Build Coastguard Worker # by reading /proc/kallsyms, get module start address by reading /proc/modules. 55*e4a36f41SAndroid Build Coastguard Worker set_prop(profcollectd, lower_kptr_restrict_prop) 56*e4a36f41SAndroid Build Coastguard Worker allow profcollectd proc_kallsyms:file r_file_perms; 57*e4a36f41SAndroid Build Coastguard Worker allow profcollectd proc_modules:file r_file_perms; 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Worker # Allow profcollectd to read kernel build id. 60*e4a36f41SAndroid Build Coastguard Worker allow profcollectd sysfs_kernel_notes:file r_file_perms; 61*e4a36f41SAndroid Build Coastguard Worker') 62