Make heapprofd work with MLS.
Arbitrary apps need to connect to heapprofd in order to send samples.
Relevant denial trying to profile com.google.android.inputmethod.latin
on userdebug:
12-20 14:50:20.420 25219 25219 I heapprofd: type=1400 audit(0.0:1006): avc: denied { read } for path="/proc/24819/mem" dev="proc" ino=244219 scontext=u:r:heapprofd:s0 tcontext=u:r:untrusted_app_27:s0:c133,c256,c512,c768 tclass=file permissive=1
Bug: 121370989
Test: m
Test: flash walleye
Test: profile com.google.android.inputmethod.latin
Change-Id: Iee82c8c49951e5a5726cd5ab0b9e8fa71226c802
diff --git a/private/heapprofd.te b/private/heapprofd.te
index b7013d7..5a17990 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -6,6 +6,9 @@
set_prop(heapprofd, heapprofd_prop);
userdebug_or_eng(`
+ # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
+ # and send signals.
+ typeattribute heapprofd mlstrustedsubject;
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
# which are controlled by separate permissions.
diff --git a/public/file.te b/public/file.te
index 99a2c0d..2a5e6f4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -395,7 +395,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;