Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Android heap profiling daemon. go/heapprofd.
|
2018-10-15 19:02:02 +02:00
|
|
|
type heapprofd_exec, exec_type, file_type, system_file_type;
|
2019-02-28 16:59:32 +01:00
|
|
|
type heapprofd_tmpfs, file_type;
|
2018-10-15 19:02:02 +02:00
|
|
|
|
|
|
|
|
init_daemon_domain(heapprofd)
|
2019-02-28 16:59:32 +01:00
|
|
|
tmpfs_domain(heapprofd)
|
|
|
|
|
|
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
2019-03-04 17:43:37 +01:00
|
|
|
# shared memory buffers created by heapprofd.
|
2019-02-28 16:59:32 +01:00
|
|
|
typeattribute heapprofd_tmpfs mlstrustedobject;
|
2018-10-30 13:19:27 +01:00
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
set_prop(heapprofd, heapprofd_prop);
|
|
|
|
|
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Necessary for /proc/[pid]/cmdline access & sending signals.
|
|
|
|
|
typeattribute heapprofd mlstrustedsubject;
|
|
|
|
|
|
|
|
|
|
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
|
|
|
|
|
# SIGCHLD, which are controlled by separate permissions.
|
|
|
|
|
allow heapprofd self:capability kill;
|
|
|
|
|
|
|
|
|
|
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
2020-07-31 20:28:11 +02:00
|
|
|
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# spamming logs with denials for entries that we can not access.
|
|
|
|
|
dontaudit heapprofd domain:dir { search open };
|
|
|
|
|
|
|
|
|
|
# Write trace data to the Perfetto traced daemon. This requires connecting to
|
|
|
|
|
# its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(heapprofd)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
|
|
|
|
|
# When handling profiling for all processes, heapprofd needs to read
|
|
|
|
|
# executables/libraries/etc to do stack unwinding.
|
2021-01-11 18:17:30 +01:00
|
|
|
r_dir_file(heapprofd, nativetest_data_file)
|
|
|
|
|
r_dir_file(heapprofd, system_file_type)
|
|
|
|
|
r_dir_file(heapprofd, apk_data_file)
|
|
|
|
|
r_dir_file(heapprofd, dalvikcache_data_file)
|
|
|
|
|
r_dir_file(heapprofd, vendor_file_type)
|
2021-02-09 14:28:49 +01:00
|
|
|
r_dir_file(heapprofd, shell_test_data_file)
|
2022-08-19 01:30:40 +02:00
|
|
|
# ART apex files and directory access to the containing /data/misc/apexdata.
|
|
|
|
|
r_dir_file(heapprofd, apex_art_data_file)
|
|
|
|
|
allow heapprofd apex_module_data_file:dir { getattr search };
|
|
|
|
|
|
2021-01-11 18:17:30 +01:00
|
|
|
# Some dex files are not world-readable.
|
|
|
|
|
# We are still constrained by the SELinux rules above.
|
|
|
|
|
allow heapprofd self:global_capability_class_set dac_read_search;
|
2018-10-30 13:19:27 +01:00
|
|
|
|
2020-12-16 15:34:56 +01:00
|
|
|
# For checking profileability.
|
|
|
|
|
allow heapprofd packages_list_file:file r_file_perms;
|
|
|
|
|
|
2023-02-02 15:24:45 +01:00
|
|
|
# Never allow profiling privileged or otherwise incompatible domains.
|
|
|
|
|
# Corresponding allow-rule is in private/domain.te.
|
2018-10-30 13:19:27 +01:00
|
|
|
never_profile_heap(`{
|
2023-02-02 15:24:45 +01:00
|
|
|
apexd
|
|
|
|
|
app_zygote
|
2018-10-30 13:19:27 +01:00
|
|
|
bpfloader
|
2023-02-02 15:24:45 +01:00
|
|
|
diced
|
2023-02-21 17:19:29 +01:00
|
|
|
hal_configstore_server
|
2018-10-30 13:19:27 +01:00
|
|
|
init
|
|
|
|
|
kernel
|
|
|
|
|
keystore
|
|
|
|
|
llkd
|
|
|
|
|
logd
|
2023-02-02 15:24:45 +01:00
|
|
|
logpersist
|
|
|
|
|
recovery
|
|
|
|
|
recovery_persist
|
|
|
|
|
recovery_refresh
|
2018-10-30 13:19:27 +01:00
|
|
|
ueventd
|
|
|
|
|
vendor_init
|
|
|
|
|
vold
|
2023-02-02 15:24:45 +01:00
|
|
|
webview_zygote
|
|
|
|
|
zygote
|
2018-10-30 13:19:27 +01:00
|
|
|
}')
|
|
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
|
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
|
|
|
|
|
')
|
