1# Android heap profiling daemon. go/heapprofd. 2# 3# On user builds, this daemon is responsible for receiving the initial 4# profiling configuration, finding matching target processes (if profiling by 5# process name), and sending the activation signal to them (+ setting system 6# properties for new processes to start profiling from startup). When profiling 7# is triggered in a process, it spawns a private heapprofd subprocess (in its 8# own SELinux domain), which will exclusively handle profiling of its parent. 9# 10# On debug builds, this central daemon performs profiling for all target 11# processes (which talk directly to this daemon). 12type heapprofd_exec, exec_type, file_type, system_file_type; 13type heapprofd_tmpfs, file_type; 14 15init_daemon_domain(heapprofd) 16tmpfs_domain(heapprofd) 17 18# Allow apps in other MLS contexts (for multi-user) to access 19# shared memory buffers created by heapprofd. 20typeattribute heapprofd_tmpfs mlstrustedobject; 21 22set_prop(heapprofd, heapprofd_prop); 23 24# Necessary for /proc/[pid]/cmdline access & sending signals. 25typeattribute heapprofd mlstrustedsubject; 26 27# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and 28# SIGCHLD, which are controlled by separate permissions. 29allow heapprofd self:capability kill; 30 31# When scanning /proc/[pid]/cmdline to find matching processes for by-name 32# profiling, only allowlisted domains will be allowed by SELinux. Avoid 33# spamming logs with denials for entries that we can not access. 34dontaudit heapprofd domain:dir { search open }; 35 36# Write trace data to the Perfetto traced daemon. This requires connecting to 37# its producer socket and obtaining a (per-process) tmpfs fd. 38perfetto_producer(heapprofd) 39 40# When handling profiling for all processes, heapprofd needs to read 41# executables/libraries/etc to do stack unwinding. 42userdebug_or_eng(` 43 r_dir_file(heapprofd, nativetest_data_file) 44 r_dir_file(heapprofd, system_file_type) 45 r_dir_file(heapprofd, apk_data_file) 46 r_dir_file(heapprofd, dalvikcache_data_file) 47 r_dir_file(heapprofd, vendor_file_type) 48 # Some dex files are not world-readable. 49 # We are still constrained by the SELinux rules above. 50 allow heapprofd self:global_capability_class_set dac_read_search; 51 52 allow heapprofd proc_kpageflags:file r_file_perms; 53') 54 55# This is going to happen on user but is benign because central heapprofd 56# does not actually need these permission. 57# If the dac_read_search capability check is rejected, the kernel then tries 58# to perform a dac_override capability check, so we need to dontaudit that 59# as well. 60dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; 61 62never_profile_heap(`{ 63 bpfloader 64 init 65 kernel 66 keystore 67 llkd 68 logd 69 ueventd 70 vendor_init 71 vold 72}') 73 74full_treble_only(` 75 neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; 76') 77