Google Git
Sign in
android / device / google / bonito-sepolicy / a079bde^! / .
commita079bde7b91b7e96a78ced2ca07dbeb701f65426[log] [tgz]
authorRafal Slawik <rslawik@google.com>Tue Jun 18 12:54:34 2019 +0100
committerRafal Slawik <rslawik@google.com>Tue Jun 25 09:21:00 2019 +0000
tree8073ecbee8aef1dcbf673194d684ba4d8be4b181
parent8a731ca4e085f937ef0d44c2070e8357a924e7f1 [diff]
SELinux policy for reading system ion heap size

The policy is only for userdebug or eng builds to verify usefulness of
ion heap size measuring in practice.

The size of the system ion heap is read by the system server similarly
to other memory measurements.

Example /sys/kernel/debug/ion/heaps/system (repeated lines and columns
removed):
          client              pid             size
----------------------------------------------------
 audio@2.0-servi              765             4096
 audio@2.0-servi              765            61440
 audio@2.0-servi              765             4096
     voip_client               96             8192
     voip_client               96             4096
   system_server             1232         16728064
  surfaceflinger              611         50642944
----------------------------------------------------
orphaned allocations (info is from last known client):
----------------------------------------------------
  total orphaned                0
          total          55193600
   deferred free                0
----------------------------------------------------
0 order 4 highmem pages in uncached pool = 0 total
0 order 4 lowmem pages in uncached pool = 0 total
1251 order 4 lowmem pages in cached pool = 81985536 total
VMID 8: 0 order 4 highmem pages in secure pool = 0 total

Test: m -j
Test: statsd_testdrive returns non-zero value
Bug: 130526489
Bug: 128412961
Change-Id: I5b42a06c3f7fd083150193c6bd291c33e332c23b

diff --git a/private/genfs_contexts b/private/genfs_contexts
new file mode 100644
index 0000000..8a9b749
--- /dev/null
+++ b/private/genfs_contexts

@@ -0,0 +1 @@
+genfscon debugfs /ion/heaps/system                    u:object_r:debugfs_system_ion_heap:s0

diff --git a/private/system_server.te b/private/system_server.te
new file mode 100644
index 0000000..7e0bba4
--- /dev/null
+++ b/private/system_server.te

@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+  # Read /sys/kernel/debug/ion/heaps/system.
+  allow system_server debugfs_system_ion_heap:file r_file_perms;
+')
+dontaudit system_server debugfs_system_ion_heap:file r_file_perms;

diff --git a/public/file.te b/public/file.te
new file mode 100644
index 0000000..95ecad0
--- /dev/null
+++ b/public/file.te

@@ -0,0 +1 @@
+type debugfs_system_ion_heap, fs_type, debugfs_type;

diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te
index d4e0f2b..00188f2 100644
--- a/vendor/qcom/common/hal_dumpstate_impl.te
+++ b/vendor/qcom/common/hal_dumpstate_impl.te

@@ -103,6 +103,7 @@
 ')
 
 # For collecting bugreports.
+allow hal_dumpstate_impl debugfs_system_ion_heap:file r_file_perms;
 allow hal_dumpstate_impl shell_data_file:file getattr;
 allow hal_dumpstate_impl sysfs_system_sleep_stats:file r_file_perms;
 # For '/vendor/bin/sh -c getprop | grep vendor.sys.modem.diag'