debug builds: allow perf profiling of most domains
As with heapprofd, it's useful to profile the platform itself on debug
builds (compared to just apps on "user" builds).
Bug: 137092007
Change-Id: I8630c20e0da9c67e4927496802a4cd9cacbeb81a
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 5f20086..a826f7f 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -132,8 +132,9 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
-# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Only allow app_zygote to talk to the logd socket, and
+# su/heapprofd/traced_perf on eng/userdebug. This is because
+# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
@@ -142,6 +143,7 @@
-system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -149,6 +151,7 @@
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/domain.te b/private/domain.te
index dfd8038..df42fdc 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -28,6 +28,25 @@
-vold
})')
+# As above, allow perf profiling most processes on debug builds.
+# Do not diverge the two lists without a really good reason.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 1312ad9..d5a2afe 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -728,7 +728,8 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng('-heapprofd`)
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
});
')
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a95b72..069da47 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,6 +34,7 @@
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data