1# Android heap profiling daemon. go/heapprofd.
2type heapprofd_exec, exec_type, file_type, system_file_type;
3type heapprofd_tmpfs, file_type;
4
5init_daemon_domain(heapprofd)
6tmpfs_domain(heapprofd)
7
8# Allow apps in other MLS contexts (for multi-user) to access
9# shared memory buffers created by heapprofd.
10typeattribute heapprofd_tmpfs mlstrustedobject;
11
12set_prop(heapprofd, heapprofd_prop);
13
14# Necessary for /proc/[pid]/cmdline access & sending signals.
15typeattribute heapprofd mlstrustedsubject;
16
17# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
18# SIGCHLD, which are controlled by separate permissions.
19allow heapprofd self:capability kill;
20
21# When scanning /proc/[pid]/cmdline to find matching processes for by-name
22# profiling, only allowlisted domains will be allowed by SELinux. Avoid
23# spamming logs with denials for entries that we can not access.
24dontaudit heapprofd domain:dir { search open };
25
26# Write trace data to the Perfetto traced daemon. This requires connecting to
27# its producer socket and obtaining a (per-process) tmpfs fd.
28perfetto_producer(heapprofd)
29
30# When handling profiling for all processes, heapprofd needs to read
31# executables/libraries/etc to do stack unwinding.
32r_dir_file(heapprofd, nativetest_data_file)
33r_dir_file(heapprofd, system_file_type)
34r_dir_file(heapprofd, apk_data_file)
35r_dir_file(heapprofd, dalvikcache_data_file)
36r_dir_file(heapprofd, vendor_file_type)
37r_dir_file(heapprofd, shell_test_data_file)
38# ART apex files and directory access to the containing /data/misc/apexdata.
39r_dir_file(heapprofd, apex_art_data_file)
40allow heapprofd apex_module_data_file:dir { getattr search };
41
42# Some dex files are not world-readable.
43# We are still constrained by the SELinux rules above.
44allow heapprofd self:global_capability_class_set dac_read_search;
45
46# For checking profileability.
47allow heapprofd packages_list_file:file r_file_perms;
48
49# Never allow profiling privileged or otherwise incompatible domains.
50# Corresponding allow-rule is in private/domain.te.
51never_profile_heap(`{
52  apexd
53  app_zygote
54  bpfloader
55  hal_configstore_server
56  init
57  kernel
58  keystore
59  llkd
60  logd
61  logpersist
62  recovery
63  recovery_persist
64  recovery_refresh
65  ueventd
66  vendor_init
67  vold
68  webview_zygote
69  zygote
70}')
71
72full_treble_only(`
73  neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
74')
75