Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Android heap profiling daemon. go/heapprofd.
|
|
|
|
|
#
|
|
|
|
|
# On user builds, this daemon is responsible for receiving the initial
|
|
|
|
|
# profiling configuration, finding matching target processes (if profiling by
|
|
|
|
|
# process name), and sending the activation signal to them (+ setting system
|
|
|
|
|
# properties for new processes to start profiling from startup). When profiling
|
|
|
|
|
# is triggered in a process, it spawns a private heapprofd subprocess (in its
|
|
|
|
|
# own SELinux domain), which will exclusively handle profiling of its parent.
|
|
|
|
|
#
|
|
|
|
|
# On debug builds, this central daemon performs profiling for all target
|
|
|
|
|
# processes (which talk directly to this daemon).
|
2018-10-15 19:02:02 +02:00
|
|
|
type heapprofd_exec, exec_type, file_type, system_file_type;
|
2019-02-28 16:59:32 +01:00
|
|
|
type heapprofd_tmpfs, file_type;
|
2018-10-15 19:02:02 +02:00
|
|
|
|
|
|
|
|
init_daemon_domain(heapprofd)
|
2019-02-28 16:59:32 +01:00
|
|
|
tmpfs_domain(heapprofd)
|
|
|
|
|
|
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
2019-03-04 17:43:37 +01:00
|
|
|
# shared memory buffers created by heapprofd.
|
2019-02-28 16:59:32 +01:00
|
|
|
typeattribute heapprofd_tmpfs mlstrustedobject;
|
2018-10-30 13:19:27 +01:00
|
|
|
|
2018-11-08 14:58:13 +01:00
|
|
|
set_prop(heapprofd, heapprofd_prop);
|
|
|
|
|
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# Necessary for /proc/[pid]/cmdline access & sending signals.
|
|
|
|
|
typeattribute heapprofd mlstrustedsubject;
|
|
|
|
|
|
|
|
|
|
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
|
|
|
|
|
# SIGCHLD, which are controlled by separate permissions.
|
|
|
|
|
allow heapprofd self:capability kill;
|
|
|
|
|
|
|
|
|
|
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
2020-07-31 20:28:11 +02:00
|
|
|
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
# spamming logs with denials for entries that we can not access.
|
|
|
|
|
dontaudit heapprofd domain:dir { search open };
|
|
|
|
|
|
|
|
|
|
# Write trace data to the Perfetto traced daemon. This requires connecting to
|
|
|
|
|
# its producer socket and obtaining a (per-process) tmpfs fd.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(heapprofd)
|
Allow heap profiling of certain app domains on user builds
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
2019-01-16 17:29:43 +01:00
|
|
|
|
|
|
|
|
# When handling profiling for all processes, heapprofd needs to read
|
|
|
|
|
# executables/libraries/etc to do stack unwinding.
|
2021-01-11 18:17:30 +01:00
|
|
|
r_dir_file(heapprofd, nativetest_data_file)
|
|
|
|
|
r_dir_file(heapprofd, system_file_type)
|
2020-10-16 16:29:55 +02:00
|
|
|
r_dir_file(heapprofd, apex_art_data_file)
|
2021-01-11 18:17:30 +01:00
|
|
|
r_dir_file(heapprofd, apk_data_file)
|
|
|
|
|
r_dir_file(heapprofd, dalvikcache_data_file)
|
|
|
|
|
r_dir_file(heapprofd, vendor_file_type)
|
2021-02-09 14:28:49 +01:00
|
|
|
r_dir_file(heapprofd, shell_test_data_file)
|
2021-01-11 18:17:30 +01:00
|
|
|
# Some dex files are not world-readable.
|
|
|
|
|
# We are still constrained by the SELinux rules above.
|
|
|
|
|
allow heapprofd self:global_capability_class_set dac_read_search;
|
2018-10-30 13:19:27 +01:00
|
|
|
|
2020-12-16 15:34:56 +01:00
|
|
|
# For checking profileability.
|
|
|
|
|
allow heapprofd packages_list_file:file r_file_perms;
|
|
|
|
|
|
2019-03-21 14:07:05 +01:00
|
|
|
# This is going to happen on user but is benign because central heapprofd
|
|
|
|
|
# does not actually need these permission.
|
|
|
|
|
# If the dac_read_search capability check is rejected, the kernel then tries
|
|
|
|
|
# to perform a dac_override capability check, so we need to dontaudit that
|
|
|
|
|
# as well.
|
|
|
|
|
dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
|
|
|
|
|
|
2018-10-30 13:19:27 +01:00
|
|
|
never_profile_heap(`{
|
|
|
|
|
bpfloader
|
|
|
|
|
init
|
|
|
|
|
kernel
|
|
|
|
|
keystore
|
|
|
|
|
llkd
|
|
|
|
|
logd
|
|
|
|
|
ueventd
|
|
|
|
|
vendor_init
|
|
|
|
|
vold
|
|
|
|
|
}')
|
|
|
|
|
|
|
|
|
|
full_treble_only(`
|
|
|
|
|
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
|
|
|
|
|
')
|
