xref: /aosp_15_r20/system/sepolicy/private/simpleperf_boot.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# Domain used when running /system/bin/simpleperf to record boot-time profiles.
2# It is started by init process. It's only available on userdebug/eng build.
3
4type simpleperf_boot, domain, coredomain, mlstrustedsubject;
5
6# /data/simpleperf_boot_data, used to store boot-time profiles.
7type simpleperf_boot_data_file, file_type;
8
9userdebug_or_eng(`
10  domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
11
12  # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
13  allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
14  allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
15
16  # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
17  allow simpleperf_boot self:perf_event { cpu kernel open read write };
18  allow simpleperf_boot self:global_capability2_class_set perfmon;
19
20  # Allow simpleperf_boot to scan through /proc/pid for all processes.
21  r_dir_file(simpleperf_boot, domain)
22
23  # Allow simpleperf_boot to read executable binaries.
24  allow simpleperf_boot system_file_type:file r_file_perms;
25  allow simpleperf_boot vendor_file_type:file r_file_perms;
26
27  # Allow simpleperf_boot to search for and read kernel modules.
28  allow simpleperf_boot vendor_file:dir r_dir_perms;
29  allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
30
31  # Allow simpleperf_boot to read system bootstrap libs.
32  allow simpleperf_boot system_bootstrap_lib_file:dir search;
33  allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
34
35  # Allow simpleperf_boot to access tracefs.
36  allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
37  allow simpleperf_boot debugfs_tracing:file rw_file_perms;
38  allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
39  allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
40
41  # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
42  allow simpleperf_boot proc_perf:file write;
43
44  # Allow simpleperf_boot to read process maps.
45  allow simpleperf_boot self:global_capability_class_set sys_ptrace;
46  # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
47  allow simpleperf_boot { system_server zygote }:process ptrace;
48
49  # Allow to temporarily lift the kptr_restrict setting and get kernel start address
50  # by reading /proc/kallsyms, get module start address by reading /proc/modules.
51  set_prop(simpleperf_boot, lower_kptr_restrict_prop)
52  allow simpleperf_boot proc_kallsyms:file r_file_perms;
53  allow simpleperf_boot proc_modules:file r_file_perms;
54
55  # Allow simpleperf_boot to read kernel build id.
56  allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
57
58  dontaudit simpleperf_boot shell_data_file:dir search;
59')
60