traced_perf sepolicy tweaks * allow shell to enable/disable the daemon via a sysprop * don't audit signals, as some denials are expected * exclude zygote from the profileable set of targets on debug builds. I've not caught any crashes in practice, but believe there's a possibility that the zygote forks while holding a non-whitelisted fd due to the signal handler. Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1

commit: 008465e5ec0603f9ce610584d42fba67e73ebfc5 [log] [tgz]
author: Ryan Savitski <rsavitski@google.com> Wed Feb 19 14:59:17 2020 +0000
committer: Ryan Savitski <rsavitski@google.com> Mon Feb 24 12:23:13 2020 +0000
tree: 3938b71db9ec684cd578ef16c4b2ab120897d3b7
parent: 1ddfce5fc6a7010237377d46f1ddd95de7326902 [diff] [blame]
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 7a78d79..9483e6c 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te

@@ -36,6 +36,11 @@
 # domains that it cannot read.
 dontaudit traced_perf domain:dir { search getattr open };
 
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
 # Never allow access to app data files
 neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
commit	008465e5ec0603f9ce610584d42fba67e73ebfc5	[log] [tgz]
author	Ryan Savitski <rsavitski@google.com>	Wed Feb 19 14:59:17 2020 +0000
committer	Ryan Savitski <rsavitski@google.com>	Mon Feb 24 12:23:13 2020 +0000
tree	3938b71db9ec684cd578ef16c4b2ab120897d3b7
parent	1ddfce5fc6a7010237377d46f1ddd95de7326902 [diff] [blame]