# Performance profiler, backed by perf_event_open(2). # See go/perfetto-perf-android. typeattribute traced_perf coredomain; typeattribute traced_perf mlstrustedsubject; type traced_perf_exec, system_file_type, exec_type, file_type; init_daemon_domain(traced_perf) perfetto_producer(traced_perf) # Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide # profiling, but retain samples only for profileable processes. # Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH # check (which would require a process:attach SELinux allow-rule). allow traced_perf self:perf_event { open cpu kernel read write tracepoint }; # Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a # process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of # sampled stacks, which requires opening the backing libraries/executables (as # symbols are usually not mapped into the process space). Not all such files # are world-readable, e.g. odex files that included user profiles during # profile-guided optimization. allow traced_perf self:capability { kill dac_read_search }; # Allow reading /system/data/packages.list. allow traced_perf packages_list_file:file r_file_perms; # Allow reading files for stack unwinding and symbolization. r_dir_file(traced_perf, nativetest_data_file) r_dir_file(traced_perf, system_file_type) r_dir_file(traced_perf, apk_data_file) r_dir_file(traced_perf, dalvikcache_data_file) r_dir_file(traced_perf, vendor_file_type) # Do not audit the cases where traced_perf attempts to access /proc/[pid] for # domains that it cannot read. dontaudit traced_perf domain:dir { search getattr open }; # Never allow access to app data files neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *; # Never allow profiling highly privileged processes. never_profile_heap(`{ bpfloader init kernel keystore llkd logd ueventd vendor_init vold }')