From f80cb8ae4eb5f711863af8a92898d28ffc9762e4 Mon Sep 17 00:00:00 2001
From: Kyle Lin <kylelin@google.com>
Date: Wed, 24 Nov 2021 10:28:01 +0800
Subject: [PATCH] Add policy for memlat governor needs create/delete perf
 events

[46756.223414] type=1400 audit(1637720953.624:1227238): avc: denied { cpu } for comm="cpuhp/3" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1
[46791.079905] type=1400 audit(1637720988.480:1228172): avc: denied { cpu } for comm="cpuhp/5" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1
[46831.825465] type=1400 audit(1637721029.228:1230804): avc: denied { cpu } for comm="cpuhp/4" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1
[47068.752724] type=1400 audit(1637721266.152:1237844): avc: denied { cpu } for comm="cpuhp/3" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1
[47227.488992] type=1400 audit(1637721424.888:1241154): avc: denied { cpu } for comm="cpuhp/7" scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=perf_event permissive=1

Bug: 207047575
Test: build, boot and check warning message
Change-Id: I735d5cfa5eb5614114d83a7892123d37c980d531
---
 whitechapel_pro/kernel.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te
index 0958ba11..0156784e 100644
--- a/whitechapel_pro/kernel.te
+++ b/whitechapel_pro/kernel.te
@@ -4,3 +4,6 @@ allow kernel vendor_fw_file:file r_file_perms;
 # ZRam
 allow kernel per_boot_file:file r_file_perms;
 
+# memlat needs permision to create/delete perf events when hotplug on/off
+allow kernel self:capability2 perfmon;
+allow kernel self:perf_event cpu;