commit 315d8bfa15d7ec4144a2514667cc6676561ebee8
author Florian Mayer <fmayer@google.com> Thu Feb 28 15:59:32 2019 +0000
committer Florian Mayer <fmayer@google.com> Mon Mar 04 12:05:35 2019 +0000
tree ae967edaa8b999deb49569d6d8d4d5ea7586bb8a
parent d4536b0814d94c61f3651b0686fccac1ef041f09

Allow profilable domains to use heapprofd fd and tmpfs.

This is needed to allow to communicate over shared memory.

Bug: 126724929

Change-Id: I73e69ae3679cd50124ab48121e259fd164176ed3

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index bc05875..3b340c5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -19,6 +19,10 @@
   -keystore
   -llkd
   -logd
+  -logpersist
+  -recovery
+  -recovery_persist
+  -recovery_refresh
   -ueventd
   -vendor_init
   -vold

private/heapprofd.te

diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7f8d8d6..df42b1e 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -10,8 +10,14 @@
 # On debug builds, this central daemon performs profiling for all target
 # processes (which talk directly to this daemon).
 type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
 
 init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# share memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
 
 set_prop(heapprofd, heapprofd_prop);
 

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index b9a6c05..cd4bf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -661,14 +661,8 @@
   allow heapprofd $1:file r_file_perms;
   allow heapprofd $1:dir r_dir_perms;
 
-  # On debug builds, central daemon can handle profiling of all processes
-  # directly.
-  userdebug_or_eng(`
-    # Allow connecting to the daemon.
-    unix_socket_connect($1, heapprofd, heapprofd)
-    # Allow daemon to use the passed fds.
-    allow heapprofd $1:fd use;
-  ')
+  # Profilability on user implies profilability on userdebug and eng.
+  can_profile_heap_userdebug_or_eng($1)
 ')
 
 ###################################
@@ -686,6 +680,11 @@
     unix_socket_connect($1, heapprofd, heapprofd)
     # Allow daemon to use the passed fds.
     allow heapprofd $1:fd use;
+    # Allow to read and write to heapprofd shmem.
+    # The client needs to read the read and write pointers in order to write.
+    allow $1 heapprofd_tmpfs:file { read write getattr map };
+    # Use shared memory received over the unix socket.
+    allow $1 heapprofd:fd use;
 
     # To read from the received file descriptors.
     # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the