| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # Android heap profiling daemon. go/heapprofd. |
| 2 | # |
| 3 | # On user builds, this daemon is responsible for receiving the initial |
| 4 | # profiling configuration, finding matching target processes (if profiling by |
| 5 | # process name), and sending the activation signal to them (+ setting system |
| 6 | # properties for new processes to start profiling from startup). When profiling |
| 7 | # is triggered in a process, it spawns a private heapprofd subprocess (in its |
| 8 | # own SELinux domain), which will exclusively handle profiling of its parent. |
| 9 | # |
| 10 | # On debug builds, this central daemon performs profiling for all target |
| 11 | # processes (which talk directly to this daemon). |
| 12 | type heapprofd_exec, exec_type, file_type, system_file_type; |
| 13 | type heapprofd_tmpfs, file_type; |
| 14 | |
| 15 | init_daemon_domain(heapprofd) |
| 16 | tmpfs_domain(heapprofd) |
| 17 | |
| 18 | # Allow apps in other MLS contexts (for multi-user) to access |
| 19 | # shared memory buffers created by heapprofd. |
| 20 | typeattribute heapprofd_tmpfs mlstrustedobject; |
| 21 | |
| 22 | set_prop(heapprofd, heapprofd_prop); |
| 23 | |
| 24 | # Necessary for /proc/[pid]/cmdline access & sending signals. |
| 25 | typeattribute heapprofd mlstrustedsubject; |
| 26 | |
| 27 | # Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and |
| 28 | # SIGCHLD, which are controlled by separate permissions. |
| 29 | allow heapprofd self:capability kill; |
| 30 | |
| 31 | # When scanning /proc/[pid]/cmdline to find matching processes for by-name |
| 32 | # profiling, only allowlisted domains will be allowed by SELinux. Avoid |
| 33 | # spamming logs with denials for entries that we can not access. |
| 34 | dontaudit heapprofd domain:dir { search open }; |
| 35 | |
| 36 | # Write trace data to the Perfetto traced daemon. This requires connecting to |
| 37 | # its producer socket and obtaining a (per-process) tmpfs fd. |
| 38 | perfetto_producer(heapprofd) |
| 39 | |
| 40 | # When handling profiling for all processes, heapprofd needs to read |
| 41 | # executables/libraries/etc to do stack unwinding. |
| 42 | r_dir_file(heapprofd, nativetest_data_file) |
| 43 | r_dir_file(heapprofd, system_file_type) |
| 44 | r_dir_file(heapprofd, apex_art_data_file) |
| 45 | r_dir_file(heapprofd, apk_data_file) |
| 46 | r_dir_file(heapprofd, dalvikcache_data_file) |
| 47 | r_dir_file(heapprofd, vendor_file_type) |
| 48 | r_dir_file(heapprofd, shell_test_data_file) |
| 49 | # Some dex files are not world-readable. |
| 50 | # We are still constrained by the SELinux rules above. |
| 51 | allow heapprofd self:global_capability_class_set dac_read_search; |
| 52 | |
| 53 | # For checking profileability. |
| 54 | allow heapprofd packages_list_file:file r_file_perms; |
| 55 | |
| 56 | # This is going to happen on user but is benign because central heapprofd |
| 57 | # does not actually need these permission. |
| 58 | # If the dac_read_search capability check is rejected, the kernel then tries |
| 59 | # to perform a dac_override capability check, so we need to dontaudit that |
| 60 | # as well. |
| 61 | dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; |
| 62 | |
| 63 | never_profile_heap(`{ |
| 64 | bpfloader |
| 65 | init |
| 66 | kernel |
| 67 | keystore |
| 68 | llkd |
| 69 | logd |
| 70 | ueventd |
| 71 | vendor_init |
| 72 | vold |
| 73 | }') |
| 74 | |
| 75 | full_treble_only(` |
| 76 | neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; |
| 77 | ') |