1*e4a36f41SAndroid Build Coastguard Worker# Domain used when running /system/bin/simpleperf to record boot-time profiles. 2*e4a36f41SAndroid Build Coastguard Worker# It is started by init process. It's only available on userdebug/eng build. 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workertype simpleperf_boot, domain, coredomain, mlstrustedsubject; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# /data/simpleperf_boot_data, used to store boot-time profiles. 7*e4a36f41SAndroid Build Coastguard Workertype simpleperf_boot_data_file, file_type; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 10*e4a36f41SAndroid Build Coastguard Worker domain_auto_trans(init, simpleperf_exec, simpleperf_boot) 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker # simpleperf_boot writes profile data to /data/simpleperf_boot_data. 13*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms; 14*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling. 17*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot self:perf_event { cpu kernel open read write }; 18*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot self:global_capability2_class_set perfmon; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to scan through /proc/pid for all processes. 21*e4a36f41SAndroid Build Coastguard Worker r_dir_file(simpleperf_boot, domain) 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to read executable binaries. 24*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot system_file_type:file r_file_perms; 25*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot vendor_file_type:file r_file_perms; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to search for and read kernel modules. 28*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot vendor_file:dir r_dir_perms; 29*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot vendor_kernel_modules:file r_file_perms; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to read system bootstrap libs. 32*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot system_bootstrap_lib_file:dir search; 33*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms; 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to access tracefs. 36*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot debugfs_tracing:dir r_dir_perms; 37*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot debugfs_tracing:file rw_file_perms; 38*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms; 39*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms; 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to write to perf_event_paranoid under /proc. 42*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot proc_perf:file write; 43*e4a36f41SAndroid Build Coastguard Worker 44*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to read process maps. 45*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot self:global_capability_class_set sys_ptrace; 46*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to read JIT debug info from system_server and zygote. 47*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot { system_server zygote }:process ptrace; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker # Allow to temporarily lift the kptr_restrict setting and get kernel start address 50*e4a36f41SAndroid Build Coastguard Worker # by reading /proc/kallsyms, get module start address by reading /proc/modules. 51*e4a36f41SAndroid Build Coastguard Worker set_prop(simpleperf_boot, lower_kptr_restrict_prop) 52*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot proc_kallsyms:file r_file_perms; 53*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot proc_modules:file r_file_perms; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker # Allow simpleperf_boot to read kernel build id. 56*e4a36f41SAndroid Build Coastguard Worker allow simpleperf_boot sysfs_kernel_notes:file r_file_perms; 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Worker dontaudit simpleperf_boot shell_data_file:dir search; 59*e4a36f41SAndroid Build Coastguard Worker') 60