1# Android heap profiling daemon. go/heapprofd. 2# 3# On user builds, this daemon is responsible for receiving the initial 4# profiling configuration, finding matching target processes (if profiling by 5# process name), and sending the activation signal to them (+ setting system 6# properties for new processes to start profiling from startup). When profiling 7# is triggered in a process, it spawns a private heapprofd subprocess (in its 8# own SELinux domain), which will exclusively handle profiling of its parent. 9# 10# On debug builds, this central daemon performs profiling for all target 11# processes (which talk directly to this daemon). 12type heapprofd_exec, exec_type, file_type, system_file_type; 13type heapprofd_tmpfs, file_type; 14 15init_daemon_domain(heapprofd) 16tmpfs_domain(heapprofd) 17 18# Allow apps in other MLS contexts (for multi-user) to access 19# shared memory buffers created by heapprofd. 20typeattribute heapprofd_tmpfs mlstrustedobject; 21 22set_prop(heapprofd, heapprofd_prop); 23 24# Necessary for /proc/[pid]/cmdline access & sending signals. 25typeattribute heapprofd mlstrustedsubject; 26 27# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and 28# SIGCHLD, which are controlled by separate permissions. 29allow heapprofd self:capability kill; 30 31# When scanning /proc/[pid]/cmdline to find matching processes for by-name 32# profiling, only allowlisted domains will be allowed by SELinux. Avoid 33# spamming logs with denials for entries that we can not access. 34dontaudit heapprofd domain:dir { search open }; 35 36# Write trace data to the Perfetto traced daemon. This requires connecting to 37# its producer socket and obtaining a (per-process) tmpfs fd. 38perfetto_producer(heapprofd) 39 40# When handling profiling for all processes, heapprofd needs to read 41# executables/libraries/etc to do stack unwinding. 42r_dir_file(heapprofd, nativetest_data_file) 43r_dir_file(heapprofd, system_file_type) 44r_dir_file(heapprofd, apex_art_data_file) 45r_dir_file(heapprofd, apk_data_file) 46r_dir_file(heapprofd, dalvikcache_data_file) 47r_dir_file(heapprofd, vendor_file_type) 48r_dir_file(heapprofd, shell_test_data_file) 49# Some dex files are not world-readable. 50# We are still constrained by the SELinux rules above. 51allow heapprofd self:global_capability_class_set dac_read_search; 52 53# For checking profileability. 54allow heapprofd packages_list_file:file r_file_perms; 55 56# This is going to happen on user but is benign because central heapprofd 57# does not actually need these permission. 58# If the dac_read_search capability check is rejected, the kernel then tries 59# to perform a dac_override capability check, so we need to dontaudit that 60# as well. 61dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override }; 62 63never_profile_heap(`{ 64 bpfloader 65 init 66 kernel 67 keystore 68 llkd 69 logd 70 ueventd 71 vendor_init 72 vold 73}') 74 75full_treble_only(` 76 neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms }; 77') 78