[GWP-ASan] Enable recoverable GWP-ASan for apps.

Currently, GWP-ASan is opt-in, and requires an app to set
`gwpAsanMode=always` in the manifest. If `gwpAsanMode` is unspecified,
or `gwpAsanMode=default`, then no GWP-ASan is enabled.

Let's flip that to the new recoverable mode, which catches
heap-use-after-free and heap-buffer-overflow using sampled page
allocations (as per normal GWP-ASan), but now doesn't crash the app when
it's detected.

Also, provide a kill switch that we can use if we discover problems in
the field, which can be pushed if necessary with go/android-exp.

Bug: N/A
Test: Build a device with this enabled, use some debugging apps that
trigger a use-after-free to test the mode is working as intended.

Change-Id: I03b1478c148b9f9cfaeaa16ed273f107b55f9057

1 files changed, 5 insertions, 4 deletions

diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp
index 963a83e5d3ee..fad9e0e79899 100644
--- a/core/jni/com_android_internal_os_Zygote.cpp
+++ b/core/jni/com_android_internal_os_Zygote.cpp
@@ -1923,15 +1923,16 @@ static void SpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray gids,
 
     const char* nice_name_ptr = nice_name.has_value() ? nice_name.value().c_str() : nullptr;
     android_mallopt_gwp_asan_options_t gwp_asan_options;
+    const char* kGwpAsanAppRecoverableSysprop =
+            "persist.device_config.memory_safety_native.gwp_asan_recoverable_apps";
     // The system server doesn't have its nice name set by the time SpecializeCommon is called.
     gwp_asan_options.program_name = nice_name_ptr ?: process_name;
     switch (runtime_flags & RuntimeFlags::GWP_ASAN_LEVEL_MASK) {
         default:
         case RuntimeFlags::GWP_ASAN_LEVEL_DEFAULT:
-            // TODO(b/247012630): Switch this to Action::TURN_ON_FOR_APP_SAMPLED_NON_CRASHING once
-            // performance and syshealth testing is completed, making the default for non-system
-            // apps that don't specify a `gwpAsanMode` in their manifest to be sampled-recoverable.
-            gwp_asan_options.desire = Action::DONT_TURN_ON_UNLESS_OVERRIDDEN;
+            gwp_asan_options.desire = GetBoolProperty(kGwpAsanAppRecoverableSysprop, true)
+                    ? Action::TURN_ON_FOR_APP_SAMPLED_NON_CRASHING
+                    : Action::DONT_TURN_ON_UNLESS_OVERRIDDEN;
             android_mallopt(M_INITIALIZE_GWP_ASAN, &gwp_asan_options, sizeof(gwp_asan_options));
             break;
         case RuntimeFlags::GWP_ASAN_LEVEL_NEVER: