# Domain used when running /system/bin/simpleperf to profile a specific app. # Entered either by the app itself exec-ing the binary, or through # simpleperf_app_runner (with shell as its origin). Certain other domains # (runas_app, shell) can also exec this binary without a domain transition. typeattribute simpleperf coredomain; type simpleperf_exec, system_file_type, exec_type, file_type; domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf) # When running in this domain, simpleperf is scoped to profiling an individual # app. The necessary MAC permissions for profiling are more maintainable and # consistent if simpleperf is marked as an app domain as well (as, for example, # it will then see the same set of system libraries as the app). app_domain(simpleperf) untrusted_app_domain(simpleperf) # Allow ptrace attach to the target app, for reading JIT debug info (using # process_vm_readv) during unwinding and symbolization. allow simpleperf untrusted_app_all:process ptrace; # Allow using perf_event_open syscall for profiling the target app. allow simpleperf self:perf_event { open read write kernel }; # Allow /proc/ access for the target app (for example, when trying to # discover it by cmdline). r_dir_file(simpleperf, untrusted_app_all) # Suppress denial logspam when simpleperf is trying to find a matching process # by scanning /proc//cmdline files. The /proc/ directories are within # the same domain as their respective processes, most of which this domain is # not allowed to see. dontaudit simpleperf domain:dir search; # Neverallows: # Profiling must be confined to the scope of an individual app. neverallow simpleperf self:perf_event ~{ open read write kernel };