traced_perf sepolicy tweaks

* allow shell to enable/disable the daemon via a sysprop
* don't audit signals, as some denials are expected
* exclude zygote from the profileable set of targets on debug builds.
  I've not caught any crashes in practice, but believe there's a
  possibility that the zygote forks while holding a non-whitelisted fd
  due to the signal handler.

Change-Id: Ib237d4edfb40b200a3bd52e6341f13c4777de3f1

private/compat/29.0/29.0.ignore.cil

@@ -93,6 +93,7 @@
     system_unsolzygote_socket
     tethering_service
     traced_perf
+    traced_perf_enabled_prop
     traced_perf_socket
     timezonedetector_service
     untrusted_app_29

private/domain.te

@@ -29,7 +29,8 @@ userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
 })')
 
 # As above, allow perf profiling most processes on debug builds.
-# Do not diverge the two lists without a really good reason.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
 userdebug_or_eng(`can_profile_perf({
   domain
   -bpfloader
@@ -45,6 +46,7 @@ userdebug_or_eng(`can_profile_perf({
   -ueventd
   -vendor_init
   -vold
+  -zygote
 })')
 
 # Path resolution access in cgroups.

private/property_contexts

@@ -77,6 +77,7 @@ persist.security.       u:object_r:system_prop:s0
 persist.traced.enable   u:object_r:traced_enabled_prop:s0
 traced.lazy.            u:object_r:traced_lazy_prop:s0
 persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
+persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0

private/traced_perf.te

@@ -36,6 +36,11 @@ r_dir_file(traced_perf, vendor_file_type)
 # domains that it cannot read.
 dontaudit traced_perf domain:dir { search getattr open };
 
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
 # Never allow access to app data files
 neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
 

public/property.te

@@ -22,6 +22,7 @@ system_internal_prop(pm_prop)
 system_internal_prop(userspace_reboot_log_prop)
 system_internal_prop(system_adbd_prop)
 system_internal_prop(adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
 
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE

public/shell.te

@@ -78,6 +78,9 @@ userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
 # Allow shell to start/stop heapprofd via the persist.heapprofd.enable
 # property.
 set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
 # Allow shell to enable Dynamic System Update