Allow system_server to collect app heapdumps (debug builds only)

On debuggable builds, system_server can request app heap dumps by running something similar to the following commands: % adb shell am set-watch-heap com.android.systemui 1048576 % adb shell dumpsys procstats --start-testing which will dump the app's heap to /data/system/heapdump. See framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d. Allow this behavior. Addresses the following denial: avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 Bug: 20073185 Change-Id: I4b925033a5456867caf2697de6c2d683d0743540

Allow system_server to collect app heapdumps (debug builds only)
On debuggable builds, system_server can request app heap dumps by running something similar to the following commands: % adb shell am set-watch-heap com.android.systemui 1048576 % adb shell dumpsys procstats --start-testing which will dump the app's heap to /data/system/heapdump. See framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d. Allow this behavior. Addresses the following denial: avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 Bug: 20073185 Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
8a06c077 · Nick Kralevich · 91b7c67d · 8a06c077 · 8a06c077 · 8a06c077
Commit 8a06c077 authored 9 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -90,6 +90,14 @@ allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+  allow appdomain heapdump_data_file:file append;
+')
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.

--- a/file.te
+++ b/file.te
@@ -82,6 +82,8 @@ type gps_data_file, file_type, data_file_type;
 type property_data_file, file_type, data_file_type;
 # /data/bootchart
 type bootchart_data_file, file_type, data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;

--- a/file_contexts
+++ b/file_contexts
@@ -243,6 +243,7 @@
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
+/data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0

--- a/system_server.te
+++ b/system_server.te
@@ -202,6 +202,10 @@ allow system_server backup_data_file:file create_file_perms;
 allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
 # Manage /data/misc/adb.
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;