tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/heapprofd.te
Ryan Savitski 941ba723ba sepolicy: rework perfetto producer/profiler rules for "user" builds 
This patch:
* allows for heap and perf profiling of all processes on the system
  (minus undumpable and otherwise incompatible domains). For apps, the
  rest of the platform will still perform checks based on
  profileable/debuggable manifest flags. For native processes, the
  profilers will check that the process runs as an allowlisted UID.
* allows for all apps (=appdomain) to act as perfetto tracing data
  writers (=perfetto_producer) for the ART java heap graph plugin
  (perfetto_hprof).
* allows for system_server to act a perfetto_producer for java heap
  graphs.

Bug: 247858731
Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6
2023-02-03 15:05:14 +00:00

75 lines
2.3 KiB
Text
Raw Blame History

# Android heap profiling daemon. go/heapprofd.
type heapprofd_exec, exec_type, file_type, system_file_type;
type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
tmpfs_domain(heapprofd)
# Allow apps in other MLS contexts (for multi-user) to access
# shared memory buffers created by heapprofd.
typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
# Necessary for /proc/[pid]/cmdline access & sending signals.
typeattribute heapprofd mlstrustedsubject;
# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
# SIGCHLD, which are controlled by separate permissions.
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(heapprofd)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
r_dir_file(heapprofd, shell_test_data_file)
# ART apex files and directory access to the containing /data/misc/apexdata.
r_dir_file(heapprofd, apex_art_data_file)
allow heapprofd apex_module_data_file:dir { getattr search };
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
# For checking profileability.
allow heapprofd packages_list_file:file r_file_perms;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.
never_profile_heap(`{
apexd
app_zygote
bpfloader
diced
hal_configstore
init
kernel
keystore
llkd
logd
logpersist
recovery
recovery_persist
recovery_refresh
ueventd
vendor_init
vold
webview_zygote
zygote
}')
full_treble_only(`
neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
')
Reference in a new issue View git blame Copy permalink