| Ryan Savitski | ca0690e | 2019-01-16 16:29:43 +0000 | [diff] [blame] | 1 | # Android heap profiling daemon. go/heapprofd. |
| 2 | # |
| 3 | # On user builds, this daemon is responsible for receiving the initial |
| 4 | # profiling configuration, finding matching target processes (if profiling by |
| 5 | # process name), and sending the activation signal to them (+ setting system |
| 6 | # properties for new processes to start profiling from startup). When profiling |
| 7 | # is triggered in a process, it spawns a private heapprofd subprocess (in its |
| 8 | # own SELinux domain), which will exclusively handle profiling of its parent. |
| 9 | # |
| 10 | # On debug builds, this central daemon performs profiling for all target |
| 11 | # processes (which talk directly to this daemon). |
| Florian Mayer | 4fde9ec | 2018-10-15 18:02:02 +0100 | [diff] [blame] | 12 | type heapprofd_exec, exec_type, file_type, system_file_type; |
| Florian Mayer | 315d8bf | 2019-02-28 15:59:32 +0000 | [diff] [blame] | 13 | type heapprofd_tmpfs, file_type; |
| Florian Mayer | 4fde9ec | 2018-10-15 18:02:02 +0100 | [diff] [blame] | 14 | |
| 15 | init_daemon_domain(heapprofd) |
| Florian Mayer | 315d8bf | 2019-02-28 15:59:32 +0000 | [diff] [blame] | 16 | tmpfs_domain(heapprofd) |
| 17 | |
| 18 | # Allow apps in other MLS contexts (for multi-user) to access |
| Florian Mayer | 3b601a5 | 2019-03-04 16:43:37 +0000 | [diff] [blame] | 19 | # shared memory buffers created by heapprofd. |
| Florian Mayer | 315d8bf | 2019-02-28 15:59:32 +0000 | [diff] [blame] | 20 | typeattribute heapprofd_tmpfs mlstrustedobject; |
| Florian Mayer | 45f4847 | 2018-10-30 12:19:27 +0000 | [diff] [blame] | 21 | |
| Florian Mayer | 0f3decf | 2018-11-08 13:58:13 +0000 | [diff] [blame] | 22 | set_prop(heapprofd, heapprofd_prop); |
| 23 | |
| Ryan Savitski | ca0690e | 2019-01-16 16:29:43 +0000 | [diff] [blame] | 24 | # Necessary for /proc/[pid]/cmdline access & sending signals. |
| 25 | typeattribute heapprofd mlstrustedsubject; |
| Florian Mayer | 45f4847 | 2018-10-30 12:19:27 +0000 | [diff] [blame] | 26 | |
| Ryan Savitski | ca0690e | 2019-01-16 16:29:43 +0000 | [diff] [blame] | 27 | # Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and |
| 28 | # SIGCHLD, which are controlled by separate permissions. |
| 29 | allow heapprofd self:capability kill; |
| 30 | |
| 31 | # When scanning /proc/[pid]/cmdline to find matching processes for by-name |
| 32 | # profiling, only whitelisted domains will be allowed by SELinux. Avoid |
| 33 | # spamming logs with denials for entries that we can not access. |
| 34 | dontaudit heapprofd domain:dir { search open }; |
| 35 | |
| 36 | # Write trace data to the Perfetto traced daemon. This requires connecting to |
| 37 | # its producer socket and obtaining a (per-process) tmpfs fd. |
| Florian Mayer | 5e52281 | 2019-10-08 16:15:14 +0100 | [diff] [blame] | 38 | perfetto_producer(heapprofd) |
| Ryan Savitski | ca0690e | 2019-01-16 16:29:43 +0000 | [diff] [blame] | 39 | |
| 40 | # When handling profiling for all processes, heapprofd needs to read |
| 41 | # executables/libraries/etc to do stack unwinding. |
| 42 | userdebug_or_eng(` |
| Florian Mayer | 12f7e0e | 2019-03-27 10:59:28 +0000 | [diff] [blame] | 43 | r_dir_file(heapprofd, nativetest_data_file) |
| Florian Mayer | 3f8c271 | 2018-12-03 11:02:07 +0000 | [diff] [blame] | 44 | r_dir_file(heapprofd, system_file_type) |
| 45 | r_dir_file(heapprofd, apk_data_file) |
| 46 | r_dir_file(heapprofd, dalvikcache_data_file) |
| 47 | r_dir_file(heapprofd, vendor_file_type) |
| Florian Mayer | e922aa3 | 2019-03-21 13:07:05 +0000 | [diff] [blame] | 48 | # Some dex files are not world-readable. |
| 49 | # We are still constrained by the SELinux rules above. |
| 50 | allow heapprofd self:global_capability_class_set dac_read_search; |
| Florian Mayer | 87b5e75 | 2019-05-16 19:47:04 +0100 | [diff] [blame] | 51 | |
| 52 | allow heapprofd proc_kpageflags:file r_file_perms; |
| Florian Mayer | 45f4847 | 2018-10-30 12:19:27 +0000 | [diff] [blame] | 53 | ') |
| 54 | |
| Florian Mayer | e922aa3 | 2019-03-21 13:07:05 +0000 | [diff] [blame] | 55 | # This is going to happen on user but is benign because central heapprofd |
| 56 | # does not actually need these permission. |
| 57 | # If the dac_read_search capability check is rejected, the kernel then tries |
| 58 | # to perform a dac_override capability check, so we need to dontaudit that |
| 59 | # as well. |
| 60 | dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; |
| 61 | |
| Florian Mayer | 45f4847 | 2018-10-30 12:19:27 +0000 | [diff] [blame] | 62 | never_profile_heap(`{ |
| 63 | bpfloader |
| 64 | init |
| 65 | kernel |
| 66 | keystore |
| 67 | llkd |
| 68 | logd |
| 69 | ueventd |
| 70 | vendor_init |
| 71 | vold |
| 72 | }') |
| 73 | |
| 74 | full_treble_only(` |
| 75 | neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; |
| 76 | ') |