surfaceflinger: allow to be profiled by perfetto on release builds
This is a key system process for certain performance investigations, so
allow perfetto profiling of its native heap and general callstack
sampling. This is already allowed on debuggable builds via domain.te.
In addition to the sepolicy, the profiler itself does checks on whether
to allow profiling. At the time of writing, profiling requests coming
from "shell" for surfaceflinger will be disallowed (as it is a native
process running as "system"). However profiling requests coming from the
platform via "statsd" will be allowed.
Bug: 217368496
Tested: profiled surfaceflinger on local internal/master sargo-user build
Change-Id: Ib092064ea911aed08d981adc823cd871fc271a96
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bc7543b..5223b50 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -72,9 +72,13 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Needed to register as a Perfetto producer.
+# Allow userspace tracing via perfetto.
perfetto_producer(surfaceflinger)
+# Allow to be profiled by performance tools.
+can_profile_heap(surfaceflinger)
+can_profile_perf(surfaceflinger)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };