From b1dad0967902c26212bae77e83c09a9cf9ab8568 Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer@google.com>
Date: Tue, 27 Nov 2018 11:09:14 +0000
Subject: [PATCH] Allow heap profiling everything except TCB on userdebug.

Bug: 117762471
Test: m
Test: flash sailfish
Test: profile all running processes with setenforce 1

Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e
---
 private/domain.te         | 12 ++++++++++++
 private/system_server.te  |  1 -
 public/domain.te          |  1 +
 public/hal_configstore.te |  1 +
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/private/domain.te b/private/domain.te
index 6a71a140b..65688b20f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,6 +10,18 @@ allow domain crash_dump:process sigchld;
 # heap profiling, as initialization will fail if it does not have the
 # necessary SELinux permissions.
 get_prop(domain, heapprofd_prop);
+userdebug_or_eng(`can_profile_heap({
+  domain
+  -bpfloader
+  -init
+  -kernel
+  -keystore
+  -llkd
+  -logd
+  -ueventd
+  -vendor_init
+  -vold
+})')
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
diff --git a/private/system_server.te b/private/system_server.te
index 4ec68021f..4cf8ae02b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,7 +5,6 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
-can_profile_heap(system_server)
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
diff --git a/public/domain.te b/public/domain.te
index 09eb3e6cb..67002c93f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -776,6 +776,7 @@ full_treble_only(`
     userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
     -init
     -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+    userdebug_or_eng('-heapprofd`)
   });
 ')
 
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 2931cb582..8fe6bbe1a 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -33,6 +33,7 @@ neverallow hal_configstore_server {
   -logd
   userdebug_or_eng(`-su')
   -tombstoned
+  userdebug_or_eng(`-heapprofd')
 }:{ unix_dgram_socket unix_stream_socket } *;
 
 # Should never need access to anything on /data
-- 
GitLab