From 8a06c07724ad538d6c2f1d703fec88929c118894 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 7 Apr 2015 16:40:44 -0700
Subject: [PATCH] Allow system_server to collect app heapdumps (debug builds
 only)

On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
---
 app.te           | 8 ++++++++
 file.te          | 2 ++
 file_contexts    | 1 +
 system_server.te | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/app.te b/app.te
index 73fb68bd7..ffaae2386 100644
--- a/app.te
+++ b/app.te
@@ -90,6 +90,14 @@ allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+  allow appdomain heapdump_data_file:file append;
+')
+
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/file.te b/file.te
index 25c3b7e29..42cc8ac3f 100644
--- a/file.te
+++ b/file.te
@@ -82,6 +82,8 @@ type gps_data_file, file_type, data_file_type;
 type property_data_file, file_type, data_file_type;
 # /data/bootchart
 type bootchart_data_file, file_type, data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/file_contexts b/file_contexts
index b66c2e07c..fcb22e9e0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -243,6 +243,7 @@
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
+/data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
diff --git a/system_server.te b/system_server.te
index 895bd4464..a0286287f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -202,6 +202,10 @@ allow system_server backup_data_file:file create_file_perms;
 allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow system_server dalvikcache_profiles_data_file:file create_file_perms;
 
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
 # Manage /data/misc/adb.
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;
-- 
GitLab