Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Android heap profiling daemon. go/heapprofd.
|
|
|
|
#
|
|
|
|
# On user builds, this daemon is responsible for receiving the initial
|
|
|
|
# profiling configuration, finding matching target processes (if profiling by
|
|
|
|
# process name), and sending the activation signal to them (+ setting system
|
|
|
|
# properties for new processes to start profiling from startup). When profiling
|
|
|
|
# is triggered in a process, it spawns a private heapprofd subprocess (in its
|
|
|
|
# own SELinux domain), which will exclusively handle profiling of its parent.
|
|
|
|
#
|
|
|
|
# On debug builds, this central daemon performs profiling for all target
|
|
|
|
# processes (which talk directly to this daemon).
|
2018-10-15 19:02:02 +02:00
|
|
|
type heapprofd_exec, exec_type, file_type, system_file_type;
|
|
|
|
|
|
|
|
init_daemon_domain(heapprofd)
|
2018-10-30 13:19:27 +01:00
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
set_prop(heapprofd, heapprofd_prop);
|
|
|
|
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Necessary for /proc/[pid]/cmdline access & sending signals.
|
|
|
|
typeattribute heapprofd mlstrustedsubject;
|
|
|
|
|
|
|
|
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
|
|
|
|
# SIGCHLD, which are controlled by separate permissions.
|
|
|
|
allow heapprofd self:capability kill;
|
|
|
|
|
|
|
|
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
|
|
|
# profiling, only whitelisted domains will be allowed by SELinux. Avoid
|
|
|
|
# spamming logs with denials for entries that we can not access.
|
|
|
|
dontaudit heapprofd domain:dir { search open };
|
|
|
|
|
|
|
|
# Write trace data to the Perfetto traced daemon. This requires connecting to
|
|
|
|
# its producer socket and obtaining a (per-process) tmpfs fd.
|
|
|
|
allow heapprofd traced:fd use;
|
|
|
|
allow heapprofd traced_tmpfs:file { read write getattr map };
|
|
|
|
unix_socket_connect(heapprofd, traced_producer, traced)
|
|
|
|
|
|
|
|
# When handling profiling for all processes, heapprofd needs to read
|
|
|
|
# executables/libraries/etc to do stack unwinding.
|
2018-10-30 13:19:27 +01:00
|
|
|
userdebug_or_eng(`
|
2018-12-03 12:02:07 +01:00
|
|
|
r_dir_file(heapprofd, system_file_type)
|
|
|
|
r_dir_file(heapprofd, apk_data_file)
|
|
|
|
r_dir_file(heapprofd, dalvikcache_data_file)
|
|
|
|
r_dir_file(heapprofd, vendor_file_type)
|
2018-10-30 13:19:27 +01:00
|
|
|
')
|
|
|
|
|
|
|
|
never_profile_heap(`{
|
|
|
|
bpfloader
|
|
|
|
init
|
|
|
|
kernel
|
|
|
|
keystore
|
|
|
|
llkd
|
|
|
|
logd
|
|
|
|
ueventd
|
|
|
|
vendor_init
|
|
|
|
vold
|
|
|
|
}')
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
|
|
|
|
')
|