Allow heapprofd central mode on user builds.
This simplifies operation by removing a special case for user builds. Test: atest CtsPerfettoTestCases on user Test: atest CtsPerfettoTestCases on userdebug Test: atest perfetto_integrationtests on userdebug Bug: 153139002 Change-Id: Ibbf3dd5e4f75c2a02d931f73b96fabb8157e0ebf
This commit is contained in:
parent
bd15e9ac63
commit
a8a3d8b1bf
5 changed files with 16 additions and 55 deletions
|
@ -49,7 +49,7 @@ full_treble_only(`
|
|||
-idmap
|
||||
-init
|
||||
-installd
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-heapprofd
|
||||
-postinstall_dexopt
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
-system_server
|
||||
|
@ -66,7 +66,7 @@ full_treble_only(`
|
|||
-idmap
|
||||
-init
|
||||
-installd
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-heapprofd
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
-postinstall_dexopt
|
||||
-rs # spawned by appdomain, so carryover the exception above
|
||||
|
@ -93,7 +93,7 @@ full_treble_only(`
|
|||
-app_zygote
|
||||
-webview_zygote
|
||||
-zygote
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-heapprofd
|
||||
} vendor_overlay_file:dir { getattr open read search };
|
||||
')
|
||||
|
||||
|
@ -113,7 +113,7 @@ full_treble_only(`
|
|||
-app_zygote
|
||||
-webview_zygote
|
||||
-zygote
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-heapprofd
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
} vendor_overlay_file:file open;
|
||||
')
|
||||
|
|
|
@ -11,7 +11,7 @@ allow domain crash_dump:process sigchld;
|
|||
# necessary SELinux permissions.
|
||||
get_prop(domain, heapprofd_prop);
|
||||
# Allow heap profiling on debug builds.
|
||||
userdebug_or_eng(`can_profile_heap_central({
|
||||
userdebug_or_eng(`can_profile_heap({
|
||||
domain
|
||||
-bpfloader
|
||||
-init
|
||||
|
@ -307,7 +307,7 @@ neverallow ~{
|
|||
iorap_prefetcherd
|
||||
traced_perf
|
||||
traced_probes
|
||||
userdebug_or_eng(`heapprofd')
|
||||
heapprofd
|
||||
} self:global_capability_class_set dac_read_search;
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
|
@ -414,7 +414,7 @@ full_treble_only(`
|
|||
-iorap_inode2filename
|
||||
-iorap_prefetcherd
|
||||
-kernel # loads /vendor/firmware
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-heapprofd
|
||||
userdebug_or_eng(`-profcollectd')
|
||||
-shell
|
||||
-system_executes_vendor_violators
|
||||
|
|
|
@ -39,19 +39,14 @@ perfetto_producer(heapprofd)
|
|||
|
||||
# When handling profiling for all processes, heapprofd needs to read
|
||||
# executables/libraries/etc to do stack unwinding.
|
||||
userdebug_or_eng(`
|
||||
r_dir_file(heapprofd, nativetest_data_file)
|
||||
r_dir_file(heapprofd, system_file_type)
|
||||
r_dir_file(heapprofd, apk_data_file)
|
||||
r_dir_file(heapprofd, dalvikcache_data_file)
|
||||
r_dir_file(heapprofd, vendor_file_type)
|
||||
r_dir_file(heapprofd, shell_data_file)
|
||||
# Some dex files are not world-readable.
|
||||
# We are still constrained by the SELinux rules above.
|
||||
allow heapprofd self:global_capability_class_set dac_read_search;
|
||||
|
||||
allow heapprofd proc_kpageflags:file r_file_perms;
|
||||
')
|
||||
r_dir_file(heapprofd, nativetest_data_file)
|
||||
r_dir_file(heapprofd, system_file_type)
|
||||
r_dir_file(heapprofd, apk_data_file)
|
||||
r_dir_file(heapprofd, dalvikcache_data_file)
|
||||
r_dir_file(heapprofd, vendor_file_type)
|
||||
# Some dex files are not world-readable.
|
||||
# We are still constrained by the SELinux rules above.
|
||||
allow heapprofd self:global_capability_class_set dac_read_search;
|
||||
|
||||
# For checking profileability.
|
||||
allow heapprofd packages_list_file:file r_file_perms;
|
||||
|
|
|
@ -1204,7 +1204,6 @@ neverallow {
|
|||
domain
|
||||
-shell
|
||||
userdebug_or_eng(`-uncrypt')
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
-installd
|
||||
} shell_data_file:lnk_file read;
|
||||
|
||||
|
@ -1233,7 +1232,6 @@ neverallow {
|
|||
-simpleperf_app_runner
|
||||
-system_server # why?
|
||||
userdebug_or_eng(`-uncrypt')
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
} shell_data_file:dir { open search };
|
||||
|
||||
# Same as above for /data/local/tmp files. We allow shell files
|
||||
|
@ -1245,7 +1243,6 @@ neverallow {
|
|||
-dumpstate
|
||||
-installd
|
||||
userdebug_or_eng(`-uncrypt')
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
} shell_data_file:file open;
|
||||
|
||||
# servicemanager and vndservicemanager are the only processes which handle the
|
||||
|
|
|
@ -693,40 +693,9 @@ define(`hal_attribute_service', `
|
|||
|
||||
###################################
|
||||
# can_profile_heap(domain)
|
||||
# Allow processes within the domain to have their heap profiled by heapprofd.
|
||||
#
|
||||
# Note that profiling is performed differently between debug and user builds.
|
||||
# There are two modes for profiling:
|
||||
# * forked
|
||||
# * central.
|
||||
# On user builds, the default is to allow only forked mode. If it is desired
|
||||
# to allow central mode as well for a domain, use can_profile_heap_central.
|
||||
# On userdebug, this macro allows both forked and central.
|
||||
define(`can_profile_heap', `
|
||||
# Allow central daemon to send signal for client initialization.
|
||||
allow heapprofd $1:process signal;
|
||||
|
||||
# Allow executing a private heapprofd process to handle profiling on
|
||||
# user builds (also debug builds for testing & development purposes).
|
||||
allow $1 heapprofd_exec:file rx_file_perms;
|
||||
|
||||
# Allow directory & file read to the central heapprofd daemon, as it scans
|
||||
# /proc/[pid]/cmdline for by-process-name profiling configs.
|
||||
# Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
|
||||
allow heapprofd $1:file r_file_perms;
|
||||
allow heapprofd $1:dir r_dir_perms;
|
||||
|
||||
# Profilability on user implies profilability on userdebug and eng.
|
||||
userdebug_or_eng(`
|
||||
can_profile_heap_central($1)
|
||||
')
|
||||
')
|
||||
|
||||
###################################
|
||||
# can_profile_heap_central(domain)
|
||||
# Allow processes within the domain to have their heap profiled by central
|
||||
# heapprofd.
|
||||
define(`can_profile_heap_central', `
|
||||
define(`can_profile_heap', `
|
||||
# Allow central daemon to send signal for client initialization.
|
||||
allow heapprofd $1:process signal;
|
||||
# Allow connecting to the daemon.
|
||||
|
|
Loading…
Reference in a new issue