Allow heapprofd to write to /proc/$PID/page_idle. Change-Id: Ic7d13ebfe7c26df14e23976b9329b6ba1b016498

commit: d59250afaebadd37c0870e7bf85132c6a55579b0 [log] [tgz]
author: Florian Mayer <fmayer@google.com> Wed Jun 26 15:53:04 2019 -0700
committer: Florian Mayer <fmayer@google.com> Tue Jul 02 13:01:11 2019 +0100
tree: ec3c8c164f98da317f74f7697ca06f33e5764d2d
parent: 4afae9483654bed53c6314fbe395863b21233f3f [diff]
diff --git a/public/te_macros b/public/te_macros
index cd4bf61..777f481 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -686,10 +686,15 @@
     # Use shared memory received over the unix socket.
     allow $1 heapprofd:fd use;
 
-    # To read from the received file descriptors.
+    # To read and write from the received file descriptors.
     # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
     # process they relate to.
-    allow heapprofd $1:file r_file_perms;
+    # We need to write to /proc/$PID/page_idle to find idle allocations.
+    # The client only opens /proc/self/page_idle with RDWR, everything else
+    # with RDONLY.
+    # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+    # sys_ptrace.
+    allow heapprofd $1:file rw_file_perms;
     # Allow searching the /proc/[pid] directory for cmdline.
     allow heapprofd $1:dir r_dir_perms;
   ')
commit	d59250afaebadd37c0870e7bf85132c6a55579b0	[log] [tgz]
author	Florian Mayer <fmayer@google.com>	Wed Jun 26 15:53:04 2019 -0700
committer	Florian Mayer <fmayer@google.com>	Tue Jul 02 13:01:11 2019 +0100
tree	ec3c8c164f98da317f74f7697ca06f33e5764d2d
parent	4afae9483654bed53c6314fbe395863b21233f3f [diff]