1# profcollectd - hardware profile collection daemon 2type profcollectd, domain, coredomain, mlstrustedsubject; 3type profcollectd_exec, system_file_type, exec_type, file_type; 4 5userdebug_or_eng(` 6 init_daemon_domain(profcollectd) 7 8 # profcollectd opens a file for writing in /data/misc/profcollectd. 9 allow profcollectd profcollectd_data_file:file create_file_perms; 10 allow profcollectd profcollectd_data_file:dir create_dir_perms; 11 12 # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling. 13 allow profcollectd self:perf_event { cpu kernel open read write }; 14 15 # Allow profcollectd to scan through /proc/pid for all processes. 16 r_dir_file(profcollectd, domain) 17 18 # Allow profcollectd to read executable binaries. 19 allow profcollectd system_file_type:file r_file_perms; 20 allow profcollectd vendor_file_type:file r_file_perms; 21 22 # Allow profcollectd to search for and read kernel modules. 23 allow profcollectd vendor_file:dir r_dir_perms; 24 allow profcollectd vendor_kernel_modules:file r_file_perms; 25 26 # Allow profcollectd to read system bootstrap libs. 27 allow profcollectd system_bootstrap_lib_file:dir search; 28 allow profcollectd system_bootstrap_lib_file:file r_file_perms; 29 30 # Allow profcollectd to access tracefs. 31 allow profcollectd debugfs_tracing:dir r_dir_perms; 32 allow profcollectd debugfs_tracing:file rw_file_perms; 33 allow profcollectd debugfs_tracing_debug:dir r_dir_perms; 34 allow profcollectd debugfs_tracing_debug:file rw_file_perms; 35 36 # Allow profcollectd to write to perf_event_paranoid under /proc. 37 allow profcollectd proc_perf:file write; 38 39 # Allow profcollectd to access cs_etm sysfs. 40 r_dir_file(profcollectd, sysfs_devices_cs_etm) 41 42 # Allow profcollectd to ptrace. 43 allow profcollectd self:global_capability_class_set sys_ptrace; 44 45 # Allow profcollectd to read its system properties. 46 get_prop(profcollectd, device_config_profcollect_native_boot_prop) 47 set_prop(profcollectd, profcollectd_node_id_prop) 48 49 # Allow profcollectd to publish a binder service and make binder calls. 50 binder_use(profcollectd) 51 add_service(profcollectd, profcollectd_service) 52 53 # Allow to temporarily lift the kptr_restrict setting and get kernel start address 54 # by reading /proc/kallsyms, get module start address by reading /proc/modules. 55 set_prop(profcollectd, lower_kptr_restrict_prop) 56 allow profcollectd proc_kallsyms:file r_file_perms; 57 allow profcollectd proc_modules:file r_file_perms; 58 59 # Allow profcollectd to read kernel build id. 60 allow profcollectd sysfs_kernel_notes:file r_file_perms; 61') 62