1*e4a36f41SAndroid Build Coastguard Worker# Android heap profiling daemon. go/heapprofd. 2*e4a36f41SAndroid Build Coastguard Worker# 3*e4a36f41SAndroid Build Coastguard Worker# On user builds, this daemon is responsible for receiving the initial 4*e4a36f41SAndroid Build Coastguard Worker# profiling configuration, finding matching target processes (if profiling by 5*e4a36f41SAndroid Build Coastguard Worker# process name), and sending the activation signal to them (+ setting system 6*e4a36f41SAndroid Build Coastguard Worker# properties for new processes to start profiling from startup). When profiling 7*e4a36f41SAndroid Build Coastguard Worker# is triggered in a process, it spawns a private heapprofd subprocess (in its 8*e4a36f41SAndroid Build Coastguard Worker# own SELinux domain), which will exclusively handle profiling of its parent. 9*e4a36f41SAndroid Build Coastguard Worker# 10*e4a36f41SAndroid Build Coastguard Worker# On debug builds, this central daemon performs profiling for all target 11*e4a36f41SAndroid Build Coastguard Worker# processes (which talk directly to this daemon). 12*e4a36f41SAndroid Build Coastguard Workertype heapprofd_exec, exec_type, file_type, system_file_type; 13*e4a36f41SAndroid Build Coastguard Workertype heapprofd_tmpfs, file_type; 14*e4a36f41SAndroid Build Coastguard Worker 15*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(heapprofd) 16*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(heapprofd) 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# Allow apps in other MLS contexts (for multi-user) to access 19*e4a36f41SAndroid Build Coastguard Worker# shared memory buffers created by heapprofd. 20*e4a36f41SAndroid Build Coastguard Workertypeattribute heapprofd_tmpfs mlstrustedobject; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Workerset_prop(heapprofd, heapprofd_prop); 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Necessary for /proc/[pid]/cmdline access & sending signals. 25*e4a36f41SAndroid Build Coastguard Workertypeattribute heapprofd mlstrustedsubject; 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and 28*e4a36f41SAndroid Build Coastguard Worker# SIGCHLD, which are controlled by separate permissions. 29*e4a36f41SAndroid Build Coastguard Workerallow heapprofd self:capability kill; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# When scanning /proc/[pid]/cmdline to find matching processes for by-name 32*e4a36f41SAndroid Build Coastguard Worker# profiling, only allowlisted domains will be allowed by SELinux. Avoid 33*e4a36f41SAndroid Build Coastguard Worker# spamming logs with denials for entries that we can not access. 34*e4a36f41SAndroid Build Coastguard Workerdontaudit heapprofd domain:dir { search open }; 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# Write trace data to the Perfetto traced daemon. This requires connecting to 37*e4a36f41SAndroid Build Coastguard Worker# its producer socket and obtaining a (per-process) tmpfs fd. 38*e4a36f41SAndroid Build Coastguard Workerperfetto_producer(heapprofd) 39*e4a36f41SAndroid Build Coastguard Worker 40*e4a36f41SAndroid Build Coastguard Worker# When handling profiling for all processes, heapprofd needs to read 41*e4a36f41SAndroid Build Coastguard Worker# executables/libraries/etc to do stack unwinding. 42*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 43*e4a36f41SAndroid Build Coastguard Worker r_dir_file(heapprofd, nativetest_data_file) 44*e4a36f41SAndroid Build Coastguard Worker r_dir_file(heapprofd, system_file_type) 45*e4a36f41SAndroid Build Coastguard Worker r_dir_file(heapprofd, apk_data_file) 46*e4a36f41SAndroid Build Coastguard Worker r_dir_file(heapprofd, dalvikcache_data_file) 47*e4a36f41SAndroid Build Coastguard Worker r_dir_file(heapprofd, vendor_file_type) 48*e4a36f41SAndroid Build Coastguard Worker # Some dex files are not world-readable. 49*e4a36f41SAndroid Build Coastguard Worker # We are still constrained by the SELinux rules above. 50*e4a36f41SAndroid Build Coastguard Worker allow heapprofd self:global_capability_class_set dac_read_search; 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Worker allow heapprofd proc_kpageflags:file r_file_perms; 53*e4a36f41SAndroid Build Coastguard Worker') 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker# This is going to happen on user but is benign because central heapprofd 56*e4a36f41SAndroid Build Coastguard Worker# does not actually need these permission. 57*e4a36f41SAndroid Build Coastguard Worker# If the dac_read_search capability check is rejected, the kernel then tries 58*e4a36f41SAndroid Build Coastguard Worker# to perform a dac_override capability check, so we need to dontaudit that 59*e4a36f41SAndroid Build Coastguard Worker# as well. 60*e4a36f41SAndroid Build Coastguard Workerdontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; 61*e4a36f41SAndroid Build Coastguard Worker 62*e4a36f41SAndroid Build Coastguard Workernever_profile_heap(`{ 63*e4a36f41SAndroid Build Coastguard Worker bpfloader 64*e4a36f41SAndroid Build Coastguard Worker init 65*e4a36f41SAndroid Build Coastguard Worker kernel 66*e4a36f41SAndroid Build Coastguard Worker keystore 67*e4a36f41SAndroid Build Coastguard Worker llkd 68*e4a36f41SAndroid Build Coastguard Worker logd 69*e4a36f41SAndroid Build Coastguard Worker ueventd 70*e4a36f41SAndroid Build Coastguard Worker vendor_init 71*e4a36f41SAndroid Build Coastguard Worker vold 72*e4a36f41SAndroid Build Coastguard Worker}') 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Workerfull_treble_only(` 75*e4a36f41SAndroid Build Coastguard Worker neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; 76*e4a36f41SAndroid Build Coastguard Worker') 77