Allow system_server to collect app heapdumps (debug builds only)
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:
% adb shell am set-watch-heap com.android.systemui 1048576
% adb shell dumpsys procstats --start-testing
which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.
Allow this behavior.
Addresses the following denial:
avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
diff --git a/app.te b/app.te
index 73fb68b..ffaae23 100644
--- a/app.te
+++ b/app.te
@@ -90,6 +90,14 @@
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/file.te b/file.te
index 25c3b7e..42cc8ac 100644
--- a/file.te
+++ b/file.te
@@ -82,6 +82,8 @@
type property_data_file, file_type, data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/file_contexts b/file_contexts
index b66c2e0..fcb22e9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -243,6 +243,7 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
diff --git a/system_server.te b/system_server.te
index 895bd44..a028628 100644
--- a/system_server.te
+++ b/system_server.te
@@ -202,6 +202,10 @@
allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
# Manage /data/misc/adb.
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;