3f8c271db8
Heapprofd needs to read binary files and library in order to support
unwinding the stack. sytem_file does not include all thes files, e.g.
zygote_exec is only labeled as system_file_type.
Denials:
12-03 10:50:37.485 9263 9263 I heapprofd: type=1400 audit(0.0:177): avc: denied { read } for name="app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485 9263 9263 I heapprofd: type=1400 audit(0.0:178): avc: denied { open } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485 9263 9263 I heapprofd: type=1400 audit(0.0:179): avc: denied { getattr } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
Change-Id: Ie04b722a78ff6367729930ee0ef96f48ccf6aa55
Bug: 117762471
42 lines
1.1 KiB
Text
42 lines
1.1 KiB
Text
# Android Heap Profiler Daemon go/heapprofd
|
|
type heapprofd_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(heapprofd)
|
|
|
|
set_prop(heapprofd, heapprofd_prop);
|
|
|
|
userdebug_or_eng(`
|
|
# Allow to send signal to processes.
|
|
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
|
|
# which are controlled by separate permissions.
|
|
allow heapprofd self:capability kill;
|
|
|
|
# Executables and libraries.
|
|
# These are needed to read the ELF binary data needed for unwinding.
|
|
r_dir_file(heapprofd, system_file_type)
|
|
r_dir_file(heapprofd, apk_data_file)
|
|
r_dir_file(heapprofd, dalvikcache_data_file)
|
|
r_dir_file(heapprofd, vendor_file_type)
|
|
')
|
|
|
|
# Write trace data to the Perfetto traced damon. This requires connecting to its
|
|
# producer socket and obtaining a (per-process) tmpfs fd.
|
|
allow heapprofd traced:fd use;
|
|
allow heapprofd traced_tmpfs:file { read write getattr map };
|
|
unix_socket_connect(heapprofd, traced_producer, traced)
|
|
|
|
never_profile_heap(`{
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
llkd
|
|
logd
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
}')
|
|
|
|
full_treble_only(`
|
|
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
|
|
')
|