1# Android heap profiling daemon. go/heapprofd.
2#
3# On user builds, this daemon is responsible for receiving the initial
4# profiling configuration, finding matching target processes (if profiling by
5# process name), and sending the activation signal to them (+ setting system
6# properties for new processes to start profiling from startup). When profiling
7# is triggered in a process, it spawns a private heapprofd subprocess (in its
8# own SELinux domain), which will exclusively handle profiling of its parent.
9#
10# On debug builds, this central daemon performs profiling for all target
11# processes (which talk directly to this daemon).
12type heapprofd_exec, exec_type, file_type, system_file_type;
13type heapprofd_tmpfs, file_type;
14
15init_daemon_domain(heapprofd)
16tmpfs_domain(heapprofd)
17
18# Allow apps in other MLS contexts (for multi-user) to access
19# shared memory buffers created by heapprofd.
20typeattribute heapprofd_tmpfs mlstrustedobject;
21
22set_prop(heapprofd, heapprofd_prop);
23
24# Necessary for /proc/[pid]/cmdline access & sending signals.
25typeattribute heapprofd mlstrustedsubject;
26
27# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
28# SIGCHLD, which are controlled by separate permissions.
29allow heapprofd self:capability kill;
30
31# When scanning /proc/[pid]/cmdline to find matching processes for by-name
32# profiling, only allowlisted domains will be allowed by SELinux. Avoid
33# spamming logs with denials for entries that we can not access.
34dontaudit heapprofd domain:dir { search open };
35
36# Write trace data to the Perfetto traced daemon. This requires connecting to
37# its producer socket and obtaining a (per-process) tmpfs fd.
38allow heapprofd traced:fd use;
39allow heapprofd traced_tmpfs:file { read write getattr map };
40unix_socket_connect(heapprofd, traced_producer, traced)
41
42# When handling profiling for all processes, heapprofd needs to read
43# executables/libraries/etc to do stack unwinding.
44userdebug_or_eng(`
45  r_dir_file(heapprofd, nativetest_data_file)
46  r_dir_file(heapprofd, system_file_type)
47  r_dir_file(heapprofd, apk_data_file)
48  r_dir_file(heapprofd, dalvikcache_data_file)
49  r_dir_file(heapprofd, vendor_file_type)
50  # Some dex files are not world-readable.
51  # We are still constrained by the SELinux rules above.
52  allow heapprofd self:global_capability_class_set dac_read_search;
53')
54
55# This is going to happen on user but is benign because central heapprofd
56# does not actually need these permission.
57# If the dac_read_search capability check is rejected, the kernel then tries
58# to perform a dac_override capability check, so we need to dontaudit that
59# as well.
60dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
61
62never_profile_heap(`{
63  bpfloader
64  init
65  kernel
66  keystore
67  llkd
68  logd
69  ueventd
70  vendor_init
71  vold
72}')
73
74full_treble_only(`
75  neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
76')
77