3f3e222527
The profilers cannot open files under
/data/misc/apexdata/com.android.art/dalvik-cache because they're not
allowed to search /data/misc/apexdata with the apex_module_data_file
label.
Example denial:
avc: denied { search } for name="apexdata" dev="dm-37" ino=89
scontext=u:r:traced_perf:s0
tcontext=u:object_r:apex_module_data_file:s0 tclass=dir permissive=0
Tested: patched & flashed onto a TM device, then profiled system_server
Bug: 241544593
Change-Id: Ifd8b94a9ebcae09701e95f6cd6a14383209963db
80 lines
3 KiB
Text
80 lines
3 KiB
Text
# Android heap profiling daemon. go/heapprofd.
|
|
#
|
|
# On user builds, this daemon is responsible for receiving the initial
|
|
# profiling configuration, finding matching target processes (if profiling by
|
|
# process name), and sending the activation signal to them (+ setting system
|
|
# properties for new processes to start profiling from startup). When profiling
|
|
# is triggered in a process, it spawns a private heapprofd subprocess (in its
|
|
# own SELinux domain), which will exclusively handle profiling of its parent.
|
|
#
|
|
# On debug builds, this central daemon performs profiling for all target
|
|
# processes (which talk directly to this daemon).
|
|
type heapprofd_exec, exec_type, file_type, system_file_type;
|
|
type heapprofd_tmpfs, file_type;
|
|
|
|
init_daemon_domain(heapprofd)
|
|
tmpfs_domain(heapprofd)
|
|
|
|
# Allow apps in other MLS contexts (for multi-user) to access
|
|
# shared memory buffers created by heapprofd.
|
|
typeattribute heapprofd_tmpfs mlstrustedobject;
|
|
|
|
set_prop(heapprofd, heapprofd_prop);
|
|
|
|
# Necessary for /proc/[pid]/cmdline access & sending signals.
|
|
typeattribute heapprofd mlstrustedsubject;
|
|
|
|
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
|
|
# SIGCHLD, which are controlled by separate permissions.
|
|
allow heapprofd self:capability kill;
|
|
|
|
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
|
|
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
|
|
# spamming logs with denials for entries that we can not access.
|
|
dontaudit heapprofd domain:dir { search open };
|
|
|
|
# Write trace data to the Perfetto traced daemon. This requires connecting to
|
|
# its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(heapprofd)
|
|
|
|
# When handling profiling for all processes, heapprofd needs to read
|
|
# executables/libraries/etc to do stack unwinding.
|
|
r_dir_file(heapprofd, nativetest_data_file)
|
|
r_dir_file(heapprofd, system_file_type)
|
|
r_dir_file(heapprofd, apk_data_file)
|
|
r_dir_file(heapprofd, dalvikcache_data_file)
|
|
r_dir_file(heapprofd, vendor_file_type)
|
|
r_dir_file(heapprofd, shell_test_data_file)
|
|
# ART apex files and directory access to the containing /data/misc/apexdata.
|
|
r_dir_file(heapprofd, apex_art_data_file)
|
|
allow heapprofd apex_module_data_file:dir { getattr search };
|
|
|
|
# Some dex files are not world-readable.
|
|
# We are still constrained by the SELinux rules above.
|
|
allow heapprofd self:global_capability_class_set dac_read_search;
|
|
|
|
# For checking profileability.
|
|
allow heapprofd packages_list_file:file r_file_perms;
|
|
|
|
# This is going to happen on user but is benign because central heapprofd
|
|
# does not actually need these permission.
|
|
# If the dac_read_search capability check is rejected, the kernel then tries
|
|
# to perform a dac_override capability check, so we need to dontaudit that
|
|
# as well.
|
|
dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
|
|
|
|
never_profile_heap(`{
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
llkd
|
|
logd
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
}')
|
|
|
|
full_treble_only(`
|
|
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
|
|
')
|