From 253289fe07045b8140ef8fb83cfdedeb38dc7db7 Mon Sep 17 00:00:00 2001
From: Primiano Tucci <primiano@google.com>
Date: Fri, 9 Oct 2020 13:59:41 +0100
Subject: [PATCH] Introduce security.lower_kptr_restrict property

This is to allow the tracing service to temporarily
lower kptr_restrict for the time it takes to build
its internal symbolization map (~200ms), only on
userdebug/eng builds.
kptr_restrict unfortunately cannot be lowered by
the tracing service itself. The main reason for that
is the fact that the kernel enforces a CAP_SYS_ADMIN
capability check at write() time, so the usual pattern
of opening the file in init and passing the FD to the
service won't work.

For more details see the design doc go/perfetto-kallsyms.
Bug: 136133013
Test: perfetto_integrationtests --gtest_filter=PerfettoTest.KernelAddressSymbolization in r.android.com/1454882

Change-Id: Ib2a8c69ed5348cc436223ff5e3eb8fd8df4ab860
---
 rootdir/init.rc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index d5b1d7252..900edb4cc 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -1041,6 +1041,14 @@ on property:security.perf_harden=1
     write /proc/sys/kernel/perf_cpu_time_max_percent 25
     write /proc/sys/kernel/perf_event_mlock_kb 516
 
+# This property can be set only on userdebug/eng. See neverallow rule in
+# /system/sepolicy/private/property.te .
+on property:security.lower_kptr_restrict=1
+    write /proc/sys/kernel/kptr_restrict 0
+
+on property:security.lower_kptr_restrict=0
+    write /proc/sys/kernel/kptr_restrict 2
+
 
 # on shutdown
 # In device's init.rc, this trigger can be used to do device-specific actions