| # Android heap profiling daemon. go/heapprofd. |
| type heapprofd_exec, exec_type, file_type, system_file_type; |
| type heapprofd_tmpfs, file_type; |
| |
| init_daemon_domain(heapprofd) |
| tmpfs_domain(heapprofd) |
| |
| # Allow apps in other MLS contexts (for multi-user) to access |
| # shared memory buffers created by heapprofd. |
| typeattribute heapprofd_tmpfs mlstrustedobject; |
| |
| set_prop(heapprofd, heapprofd_prop); |
| |
| # Necessary for /proc/[pid]/cmdline access & sending signals. |
| typeattribute heapprofd mlstrustedsubject; |
| |
| # Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and |
| # SIGCHLD, which are controlled by separate permissions. |
| allow heapprofd self:capability kill; |
| |
| # When scanning /proc/[pid]/cmdline to find matching processes for by-name |
| # profiling, only allowlisted domains will be allowed by SELinux. Avoid |
| # spamming logs with denials for entries that we can not access. |
| dontaudit heapprofd domain:dir { search open }; |
| |
| # Write trace data to the Perfetto traced daemon. This requires connecting to |
| # its producer socket and obtaining a (per-process) tmpfs fd. |
| perfetto_producer(heapprofd) |
| |
| # When handling profiling for all processes, heapprofd needs to read |
| # executables/libraries/etc to do stack unwinding. |
| r_dir_file(heapprofd, nativetest_data_file) |
| r_dir_file(heapprofd, system_file_type) |
| r_dir_file(heapprofd, apk_data_file) |
| r_dir_file(heapprofd, dalvikcache_data_file) |
| r_dir_file(heapprofd, vendor_file_type) |
| r_dir_file(heapprofd, shell_test_data_file) |
| # ART apex files and directory access to the containing /data/misc/apexdata. |
| r_dir_file(heapprofd, apex_art_data_file) |
| allow heapprofd apex_module_data_file:dir { getattr search }; |
| |
| # Some dex files are not world-readable. |
| # We are still constrained by the SELinux rules above. |
| allow heapprofd self:global_capability_class_set dac_read_search; |
| |
| # For checking profileability. |
| allow heapprofd packages_list_file:file r_file_perms; |
| |
| # Never allow profiling privileged or otherwise incompatible domains. |
| # Corresponding allow-rule is in private/domain.te. |
| never_profile_heap(`{ |
| apexd |
| app_zygote |
| bpfloader |
| hal_configstore_server |
| init |
| kernel |
| keystore |
| llkd |
| logd |
| logpersist |
| recovery |
| recovery_persist |
| recovery_refresh |
| ueventd |
| vendor_init |
| vold |
| webview_zygote |
| zygote |
| }') |
| |
| full_treble_only(` |
| neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; |
| ') |