traced_perf sepolicy tweaks
* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
I've not caught any crashes in practice, but believe there's a
possibility that the zygote forks while holding a non-whitelisted fd
due to the signal handler.
Bug: 144281346
Merged-In: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1
(cherry picked from commit 008465e5ec0603f9ce610584d42fba67e73ebfc5)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 108e741..e8a6f73 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -93,6 +93,7 @@
system_unsolzygote_socket
tethering_service
traced_perf
+ traced_perf_enabled_prop
traced_perf_socket
timezonedetector_service
untrusted_app_29
diff --git a/private/domain.te b/private/domain.te
index f54f2c9..32b40c1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,7 +29,8 @@
})')
# As above, allow perf profiling most processes on debug builds.
-# Do not diverge the two lists without a really good reason.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
userdebug_or_eng(`can_profile_perf({
domain
-bpfloader
@@ -45,6 +46,7 @@
-ueventd
-vendor_init
-vold
+ -zygote
})')
# Path resolution access in cgroups.
diff --git a/private/property_contexts b/private/property_contexts
index 6315c88..cba09a5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -77,6 +77,7 @@
persist.traced.enable u:object_r:traced_enabled_prop:s0
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
+persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 7a78d79..9483e6c 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -36,6 +36,11 @@
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
diff --git a/public/property.te b/public/property.te
index 4696668..21e220d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -22,6 +22,7 @@
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
diff --git a/public/shell.te b/public/shell.te
index 0a97465..79d5c89 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,9 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update