67a82481f8
The steps involved in setting up profiling and stack unwinding are
described in detail at go/perfetto-perf-android.
To summarize the interesting case: the daemon uses cpu-wide
perf_event_open, with userspace stack and register sampling on. For each
sample, it identifies whether the process is profileable, and obtains
the FDs for /proc/[pid]/{maps,mem} using a dedicated RT signal (with the
bionic signal handler handing over the FDs over a dedicated socket). It
then uses libunwindstack to unwind & symbolize the stacks, sending the
results to the central tracing daemon (traced).
This patch covers the app profiling use-cases. Splitting out the
"profile most things on debug builds" into a separate patch for easier
review.
Most of the exceptions in domain.te & coredomain.te come from the
"vendor_file_type" allow-rule. We want a subset of that (effectively all
libraries/executables), but I believe that in practice it's hard to use
just the specific subtypes, and we're better off allowing access to all
vendor_file_type files.
Bug: 137092007
Change-Id: I4aa482cfb3f9fb2fabf02e1dff92e2b5ce121a47
53 lines
1.9 KiB
Text
53 lines
1.9 KiB
Text
# Performance profiler, backed by perf_event_open(2).
|
|
# See go/perfetto-perf-android.
|
|
typeattribute traced_perf coredomain;
|
|
typeattribute traced_perf mlstrustedsubject;
|
|
|
|
type traced_perf_exec, system_file_type, exec_type, file_type;
|
|
|
|
init_daemon_domain(traced_perf)
|
|
perfetto_producer(traced_perf)
|
|
|
|
# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
|
|
# profiling, but retain samples only for profileable processes.
|
|
# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
|
|
# check (which would require a process:attach SELinux allow-rule).
|
|
allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
|
|
|
|
# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
|
|
# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
|
|
# sampled stacks, which requires opening the backing libraries/executables (as
|
|
# symbols are usually not mapped into the process space). Not all such files
|
|
# are world-readable, e.g. odex files that included user profiles during
|
|
# profile-guided optimization.
|
|
allow traced_perf self:capability { kill dac_read_search };
|
|
|
|
# Allow reading /system/data/packages.list.
|
|
allow traced_perf packages_list_file:file r_file_perms;
|
|
|
|
# Allow reading files for stack unwinding and symbolization.
|
|
r_dir_file(traced_perf, nativetest_data_file)
|
|
r_dir_file(traced_perf, system_file_type)
|
|
r_dir_file(traced_perf, apk_data_file)
|
|
r_dir_file(traced_perf, dalvikcache_data_file)
|
|
r_dir_file(traced_perf, vendor_file_type)
|
|
|
|
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
|
|
# domains that it cannot read.
|
|
dontaudit traced_perf domain:dir { search getattr open };
|
|
|
|
# Never allow access to app data files
|
|
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
|
|
|
|
# Never allow profiling highly privileged processes.
|
|
never_profile_heap(`{
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
llkd
|
|
logd
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
}')
|