1# Domain used when running /system/bin/simpleperf to profile a specific app. 2# Entered either by the app itself exec-ing the binary, or through 3# simpleperf_app_runner (with shell as its origin). Certain other domains 4# (runas_app, shell) can also exec this binary without a domain transition. 5typeattribute simpleperf coredomain; 6type simpleperf_exec, system_file_type, exec_type, file_type; 7 8# Define apps that can be marked debuggable/profileable and be profiled by simpleperf. 9define(`simpleperf_profileable_apps', `{ 10 ephemeral_app 11 isolated_app 12 platform_app 13 priv_app 14 untrusted_app_all 15}') 16 17domain_auto_trans(simpleperf_profileable_apps, simpleperf_exec, simpleperf) 18 19# When running in this domain, simpleperf is scoped to profiling an individual 20# app. The necessary MAC permissions for profiling are more maintainable and 21# consistent if simpleperf is marked as an app domain as well (as, for example, 22# it will then see the same set of system libraries as the app). 23app_domain(simpleperf) 24 25# Allow ptrace attach to the target app, for reading JIT debug info (using 26# process_vm_readv) during unwinding and symbolization. 27allow simpleperf simpleperf_profileable_apps:process ptrace; 28 29# Allow using perf_event_open syscall for profiling the target app. 30allow simpleperf self:perf_event { open read write kernel }; 31 32# Allow /proc/<pid> access for the target app (for example, when trying to 33# discover it by cmdline). 34r_dir_file(simpleperf, simpleperf_profileable_apps) 35 36# Allow apps signalling simpleperf domain, which is the domain that the simpleperf 37# profiler runs as when executed by the app. The signals are used to control 38# the profiler (which would be profiling the app that is sending the signal). 39allow simpleperf_profileable_apps simpleperf:process signal; 40 41# Suppress denial logspam when simpleperf is trying to find a matching process 42# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within 43# the same domain as their respective processes, most of which this domain is 44# not allowed to see. 45dontaudit simpleperf domain:dir search; 46 47# Allow simpleperf to read apk files and libraries executed by the app. 48r_dir_file(simpleperf, privapp_data_file); 49r_dir_file(simpleperf, app_data_file); 50allow simpleperf { apk_tmp_file apk_private_tmp_file }:file { getattr read }; 51allow simpleperf system_linker_exec:file r_file_perms; 52allow simpleperf app_exec_data_file:file r_file_perms; 53allow simpleperf asec_public_file:file r_file_perms; 54r_dir_file(simpleperf, vendor_app_file); 55 56# Allow simpleperf to read input files passed from adb shell. 57allow simpleperf shell_data_file:file r_file_perms; 58allow simpleperf shell_data_file:dir r_dir_perms; 59 60# Neverallows: 61 62# Profiling must be confined to the scope of an individual app. 63neverallow simpleperf self:perf_event ~{ open read write kernel }; 64# Never allow other processes to ptrace simpleperf, as this could leak sensitive infomation from 65# raw samples. 66neverallow { domain -crash_dump -llkd } simpleperf:process ptrace; 67