tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/dumpstate.te

288 lines
8.5 KiB
Text
Raw Normal View History

initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# dumpstate
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 22:19:03 +02:00
type dumpstate, domain, mlstrustedsubject;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
Allow dumpstate to use wake_lock. (cherry picked from commit e123f06123dff9a3a4f5fc4ffd8b52162a91bb4e) b/30832947 Change-Id: Icd5117d655f1197524b39fe7bc1b11c4d920093c
2016-08-19 01:17:11 +02:00
wakelock_use(dumpstate)
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Dumpstate runs the same from shell as service. Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-01-29 21:11:55 +01:00
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow dumpstate self:global_capability_class_set {
Grant access to net_raw and net_admin to dumpstate. These capabilities are required so it can run iptables, otherwise it will cause failures such as: 06-20 16:19:02.650 5524 5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 06-20 16:56:57.119 5070 5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 BUG: 29455997 Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb
2016-06-20 19:01:53 +02:00
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
restore permissions to /vendor for non-treble devices Relabeling /vendor and /system/vendor to vendor_file removed previously granted permissions. Restore these for non-treble devices. Addresses: avc: denied { execute_no_trans } for pid=2944 comm="dumpstate" path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0 tclass=file And potentially some other bugs that have yet to surface. Bug: 37105075 Test: build Fugu Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-14 06:58:12 +02:00
not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 17:38:29 +02:00
allow dumpstate toolbox_exec:file rx_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir r_dir_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Create and write into /data/anr/
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
eliminate some anr_data_file permissions. Init is now responsible for creating /data/anr, so it's unnecessary to grant system_server and dumpstate permissions to relabel this directory. Remove the excess permissions. Leave system_data_file relabelfrom, since it's possible we're still using it somewhere. See commits: https://android-review.googlesource.com/161650 https://android-review.googlesource.com/161477 https://android-review.googlesource.com/161638 Bug: 22385254 Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9
2015-08-13 02:01:57 +02:00
allow dumpstate anr_data_file:dir rw_dir_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
allow dumpstate anr_data_file:file create_file_perms;
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow dumpstate self:global_capability2_class_set syslog;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
allow dumpstate kernel:system syslog_read;
dumpstate: allow pstore access Dumpstate reads from /sys/fs/pstore/console-ramoops when generating a bug report. Allow it. Addresses the following denials: <12>[ 2187.362750] type=1400 audit(1402346777.139:9): avc: denied { search } for pid=4155 comm="dumpstate" name="/" dev="pstore" ino=9954 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1 <12>[ 2187.363025] type=1400 audit(1402346777.139:10): avc: denied { getattr } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 <12>[ 2187.363185] type=1400 audit(1402346777.139:11): avc: denied { read } for pid=4155 comm="dumpstate" name="console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 <12>[ 2187.363321] type=1400 audit(1402346777.139:12): avc: denied { open } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 Change-Id: Ia20b7a03ed8e0c61b023eea93415a50af82e1bbf
2014-06-09 22:19:36 +02:00
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
more ephemeral_app cleanup As of https://android-review.googlesource.com/324092, ephemeral_app is now an appdomain, so places where both appdomain and ephemeral_app are granted the same set of rules can be deleted. Test: policy compiles. Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415
2017-01-19 19:56:18 +01:00
allow dumpstate { appdomain system_server }:process signal;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Signal native processes to dump their stack.
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
2016-05-12 03:40:27 +02:00
allow dumpstate {
Allow bugreport to dump some HAL processes. Whitelist several hals which can be dumped by bugreports. Don't want to dump more because of the time it takes and also certain hals have sensitive data which shouldn't be dumped (i.e. keymaster). Test: dumps work for given hals Bug: 36414311 Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22
2017-03-21 23:58:16 +01:00
# This list comes from native_processes_to_dump in dumpstate/utils.c
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
2016-05-12 03:40:27 +02:00
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
Allow bugreport to dump some HAL processes. Whitelist several hals which can be dumped by bugreports. Don't want to dump more because of the time it takes and also certain hals have sensitive data which shouldn't be dumped (i.e. keymaster). Test: dumps work for given hals Bug: 36414311 Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22
2017-03-21 23:58:16 +01:00
# This list comes from hal_interfaces_to_dump in dumpstate/utils.c
hal_audio_server
hal_bluetooth_server
hal_camera_server
Allow dumping hal_graphics_composer_server and fix watchdog Bug: 37152880 Bug: 37554633 Test: adb shell am hang --allow-restart Test: adb shell dumpstate Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295
2017-04-20 23:34:00 +02:00
hal_graphics_composer_server
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
hal_sensors_server
Allow bugreport to dump some HAL processes. Whitelist several hals which can be dumped by bugreports. Don't want to dump more because of the time it takes and also certain hals have sensitive data which shouldn't be dumped (i.e. keymaster). Test: dumps work for given hals Bug: 36414311 Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22
2017-03-21 23:58:16 +01:00
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
2016-05-12 03:40:27 +02:00
}:process signal;
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
2016-06-14 22:41:47 +02:00
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# df for
allow dumpstate {
block_device
cache_file
rootfs
selinuxfs
storage_file
tmpfs
}:dir { search getattr };
dumpstate: storage statistics Deal with a few audit failures Bug: 24200279 Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a
2015-12-10 01:27:36 +01:00
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Get rid of more auditallow spam Addresses the following audit messages: [ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr } for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2" ino=106324 scontext=u:r:init:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file [ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531176] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531465] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531827] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.713056] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir Bug: 32246161 Test: policy compiles Test: dumpstate no longer generates the audit messages above. Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
2016-10-29 17:07:12 +02:00
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
more ephemeral_app cleanup As of https://android-review.googlesource.com/324092, ephemeral_app is now an appdomain, so places where both appdomain and ephemeral_app are granted the same set of rules can be deleted. Test: policy compiles. Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415
2017-01-19 19:56:18 +01:00
binder_call(dumpstate, { appdomain netd wificond })
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Switch Dumpstate HAL policy to _client/_server This switches Dumpstate HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Dumpstate HAL. Domains which are clients of Dumpstate HAL, such as dumpstate domain, are granted rules targeting hal_dumpstate only when the Dumpstate HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_dumpstate are not granted to client domains. Domains which offer a binderized implementation of Dumpstate HAL, such as hal_dumpstate_default domain, are always granted rules targeting hal_dumpstate. Test: adb bugreport Test: Take bugreport through system UI Bug: 34170079 Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27
2017-02-22 19:15:24 +01:00
hal_client_domain(dumpstate, hal_dumpstate)
dumpstate is a client of graphics allocator This fixes avc: denied { call } for comm="screencap" scontext=u:r:dumpstate:s0 tcontext=u:r:hal_graphics_allocator_default:s0 tclass=binder permissive=0 Bug: 37360953 Test: adb shell dumpstate -p -o <path> Change-Id: Ia9387559e3ec1ba51b614bb9d24294fbbbd51b1a
2017-04-20 07:04:34 +02:00
hal_client_domain(dumpstate, hal_graphics_allocator)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
# Vibrate the device after we are done collecting the bugreport
Annotate most remaining HALs with _client/_server This switches most remaining HALs to the _client/_server approach. To unblock efforts blocked on majority of HALs having to use this model, this change does not remove unnecessary rules from clients of these HALs. That work will be performed in follow-up commits. This commit only adds allow rules and thus does not break existing functionality. The HALs not yet on the _client/_server model after this commit are: * Allocator HAL, because it's non-trivial to declare all apps except isolated apps as clients of this HAL, which they are. * Boot HAL, because it's still on the non-attributized model and I'm waiting for update_engine folks to answer a couple of questions which will let me refactor the policy of this HAL. Test: mmm system/sepolicy Test: Device boots, no new denials Test: Device boots in recovery mode, no new denials Bug: 34170079 Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9
2017-03-17 02:48:40 +01:00
hal_client_domain(dumpstate, hal_vibrator)
dumpstate: talk to vibrator hal Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
2016-11-29 22:54:56 +01:00
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Reading /proc/PID/maps of other processes
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow dumpstate self:global_capability_class_set sys_ptrace;
Allow dumpstate to write shell files Allow the bugreport service to create files in /data/data/com.android.shell/files/bugreports/bugreport . Addresses the following denials: <5>[31778.629368] type=1400 audit(1388876199.162:230): avc: denied { write } for pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629493] type=1400 audit(1388876199.162:231): avc: denied { add_name } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629622] type=1400 audit(1388876199.162:232): avc: denied { create } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629779] type=1400 audit(1388876199.162:233): avc: denied { write open } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629977] type=1400 audit(1388876199.162:234): avc: denied { getattr } for pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4
2014-01-06 04:20:10 +01:00
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
Fix denials triggered by adb shell screencap. Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 19:25:25 +01:00
allow dumpstate shell_data_file:dir create_dir_perms;
Allow dumpstate to write shell files Allow the bugreport service to create files in /data/data/com.android.shell/files/bugreports/bugreport . Addresses the following denials: <5>[31778.629368] type=1400 audit(1388876199.162:230): avc: denied { write } for pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629493] type=1400 audit(1388876199.162:231): avc: denied { add_name } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629622] type=1400 audit(1388876199.162:232): avc: denied { create } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629779] type=1400 audit(1388876199.162:233): avc: denied { write open } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629977] type=1400 audit(1388876199.162:234): avc: denied { getattr } for pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4
2014-01-06 04:20:10 +01:00
allow dumpstate shell_data_file:file create_file_perms;
Allow dumpstate to run am and shell. See http://code.google.com/p/android/issues/detail?id=65339 Further denials were observed in testing and allowed as well. Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-29 20:56:41 +01:00
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate self:process execmem;
# For art.
Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 20:18:43 +02:00
allow dumpstate dalvikcache_data_file:dir { search getattr };
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
Allow dumpstate to read symlink under dalvik-cache This fixes the following policy violation: avc: denied { read } pid=30295 comm="app_process" tcontext=u:object_r:dalvikcache_data_file:s0 scontext=u:r:dumpstate:s0 tclass=lnk_file permissive=0 ppid=26813 pcomm="dumpstate" pgid=26813 pgcomm="dumpstate" See 0e32726 in app.te for a symmetrical change. Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1
2015-03-23 08:31:13 +01:00
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-13 00:34:52 +01:00
Add btsnoop_hci.log to bugreport zip (2/2) Bug: 28672558 Test: Manual Change-Id: Ibee6e7e52eb6ee285b9ca0a5507d515eb3c54c0e
2016-09-15 00:50:32 +02:00
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
Revert "Add screencap domain." This reverts commit 9216a6adc9eee7bad33f0819f6dcc68a7dbbe6e8. Bug: 65206688 Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 19:07:29 +02:00
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-13 00:34:52 +01:00
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-08 00:11:39 +01:00
read_runtime_log_tags(dumpstate)
Allow dumpstate to read the list of routing tables. Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
2014-07-09 00:46:52 +02:00
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# Read files in /proc
system_server: access to /proc/sys/fs/pipe-max-size Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give system_server access to it. Addresses this denial: avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 69175449 Bug: 69324398 Test: sailfish boots Test: adb bugreport Test: craft an unresponsive app, trigger ANR, make sure traces are dumped into /data/anr Above denial from system_server not observed, no denials to proc_pipe_conf observed. Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
2017-11-15 01:32:36 +01:00
allow dumpstate {
proc_cmdline
proc_meminfo
proc_net
proc_pipe_conf
proc_pagetypeinfo
proc_version
proc_vmallocinfo
}:file r_file_perms;
Remove dumpstate selinux spam from logs Addresses: avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file Test: build policy Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b (cherry picked from commit f44002b37849f18a2d571738fa2789c618efd37f)
2017-06-07 18:25:11 +02:00
r_dir_file(dumpstate, proc)
Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 20:18:43 +02:00
Allow dumpstate to read the list of routing tables. Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
2014-07-09 00:46:52 +02:00
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
Further refined service_manager auditallow statements. Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 18:24:13 +02:00
Allow dumpstate to run ss. (cherry picked from commit 63c7ad6efbf2e64a8e5d41be581d769cf6c5c413) Bug: 23113288 Test: see http://ag/1476096 Change-Id: I3beb21f1af092c93eceb3d5115f823c1b993727d
2016-09-26 06:39:43 +02:00
# List sockets via ss.
Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. This fixes the build error: ===== libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl }; libsepol.check_assertions: 1 neverallow failures occurred ===== Which is caused, in AOSP and downstream branches, by I123e5d40955358665800fe3b86cd5f8dbaeb8717. Test: builds. Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
2016-09-27 16:24:13 +02:00
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
Allow dumpstate to run ss. (cherry picked from commit 63c7ad6efbf2e64a8e5d41be581d769cf6c5c413) Bug: 23113288 Test: see http://ag/1476096 Change-Id: I3beb21f1af092c93eceb3d5115f823c1b993727d
2016-09-26 06:39:43 +02:00
Allow dumpstate to read /data/tombstones. Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7
2014-07-23 03:39:04 +02:00
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2015-12-22 21:37:17 +01:00
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
dumpstate: access to /data/misc/recovery (cherry pick from commit 4bf9a47ea8b6f7fbe48f4cd511d79a066b8e79b7) Bug: 27176738 Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf
2016-03-25 21:34:11 +01:00
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
dumpstate: Change SELinux policy to allow reading /data/misc/profiles (cherry picked from commit cf63957db387484ffade53b040361bed3309098d) This is needed in order to include profile files in bugreports. Bug: 28610953 Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1
2016-06-03 16:43:50 +02:00
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
dumpstate: access /data/misc/logd (cherry pick from commit 745413387aa8d0476536e6b25000636c7153e2a7) Bug: 27965066 Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a
2016-04-01 18:58:39 +02:00
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
')
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
allow dumpstate {
service_manager_type
-dumpstate_service
-gatekeeper_service
-incident_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
}:service_manager find;
Dumpstate: cleanup denial logspam Dumpstate lists all services and then enumerates over them. Suppress "find" denials for services which dumpstate is neverallowed access to. Dumpstate includes the kernel command line in bug reports. Grant access to /proc/cmdline. Test: build. Run adb bugreport. Change-Id: I89b546c728a034638f9257c6cf93366d99a10762
2017-10-20 21:32:41 +02:00
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
dumpstate_service
gatekeeper_service
incident_service
virtual_touchpad_service
vold_service
vr_hwc_service
}:service_manager find;
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-31 00:21:50 +01:00
allow dumpstate servicemanager:service_manager list;
Grant dumpstate hwservermanager list permission This lets dumpstate obtain the list of currently registered HwBinder services. Test: adb bugreport -- no denials to do with dumpstate access to hwservicemanager list functionality. Bug: 37554633 Change-Id: I95512168948ca45a0dd830c20922e3c776ffaf41
2017-04-21 19:13:28 +02:00
allow dumpstate hwservicemanager:hwservice_manager list;
Dumpstate runs the same from shell as service. Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-01-29 21:11:55 +01:00
allow dumpstate devpts:chr_file rw_file_perms;
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-02 03:03:05 +01:00
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 09:54:49 +02:00
set_prop(dumpstate, exported_dumpstate_prop)
Let system_server writes to dumpstate.options property. Currently, we define 4 hardcoded init services to launch dumpstate with different command-line options (since dumpstate must be launched by root): - bugreport - bugreportplus - bugreportwear - bugreportremote This approach does not scale well; a better option is to have just one service, and let the framework pass the extra arguments through a system property. BUG: 31649719 Test: manual Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
2016-09-21 19:44:11 +02:00
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
Add rules to allow dumpstate to run systrace. Cherry picked from 610f461ecf79865548a5a30e85d07d8cee87c14d (AOSP). BUG: 27419521 Change-Id: I63108468d75be3ef7f9761107a3df8997f207d07
2016-03-18 00:08:21 +01:00
Restrict access to ro.serialno and ro.boot.serialno This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-21 00:31:37 +01:00
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
Let shell and bugreport read logging related properties. Currently ro.device_owner and persist.logd.security aren't accessible without root, so "adb shell getprop" returns empty reply which is confusing. Also these properties aren't seen from bugreport unless their change happened recently. Bug: 37053313 Test: manual, took bugreport and ran getprop after "adb unroot". Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d
2017-04-20 19:02:50 +02:00
# Read state of logging-related properties
get_prop(dumpstate, device_logging_prop)
Switch /data/misc/reboot/last_reboot_reason to persistent property Switch from /data/misc/reboot/last_reboot_reason to persistent Android property persist.sys.boot.reason for indicating why the device is rebooted or shutdown. Introduce protection for all boot reason properties Protect the following properties with these labels ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0 sys.boot.reason u:object_r:sys_boot_reason_prop:s0 persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0 Setup the current as-need access rules for each. ToDo: Remove u:object_r:reboot_data_file after internal fixes. Test: system/core/bootstat/boot_reason_test.sh Bug: 64687998 Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
2017-08-14 23:25:10 +02:00
# Read state of boot reason properties
get_prop(dumpstate, bootloader_boot_reason_prop)
get_prop(dumpstate, last_boot_reason_prop)
get_prop(dumpstate, system_boot_reason_prop)
Allow search/getattr access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: system_server, dumpstate, and bluetooth Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27932396 Change-Id: I294cfe23269b7959586252250f5527f13e60529b
2016-04-05 19:34:53 +02:00
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
restrict access to timing information in /proc These APIs expose sensitive information via timing side channels. This leaves access via the adb shell intact along with the current uses by dumpstate, init and system_server. The /proc/interrupts and /proc/stat files were covered in this paper: https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/ The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are also relevant. Access to /proc has been greatly restricted since then, with untrusted apps no longer having direct access to these, but stricter restrictions beyond that would be quite useful. Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-07-29 20:48:19 +02:00
allow dumpstate proc_interrupts:file r_file_perms;
fine-grained policy for access to /proc/zoneinfo Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f
2016-08-08 19:48:01 +02:00
allow dumpstate proc_zoneinfo:file r_file_perms;
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
# Create a service for talking back to system_server
te_macros: introduce add_service() macro Introduce the add_service() macro which wraps up add/find permissions for the source domain with a neverallow preventing others from adding it. Only a particular domain should add a particular service. Use the add_service() macro to automatically add a neverallow that prevents other domains from adding the service. mediadrmserver was adding services labeled mediaserver_service. Drop the add permission as it should just need the find permission. Additionally, the macro adds the { add find } permission which causes some existing neverallow's to assert. Adjust those neverallow's so "self" can always find. Test: compile and run on hikey and emulator. No new denials were found, and all services, where applicable, seem to be running OK. Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-19 22:23:52 +01:00
add_service(dumpstate, dumpstate_service)
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
domain_deprecated: remove ion access Logs show that only dumpstate requires access. avc: granted { read open } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=14324 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=14324 ioctlcmd=4906 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file Grant ion permission to dumpstate which uses it for screencap feature. Bug: 28760354 Test: build. Check logs. Change-Id: I6435b7dbf7656669dac5dcfb205cf0aeda93991b
2017-07-03 02:03:44 +02:00
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# read default labeled files in /sys
r_dir_file(dumpstate, sysfs)
Fix selinux denials during bugreport avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0 avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0 avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0 avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0 Bug: 62410287 Bug: 35350306 Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02 Signed-off-by: Tim Kryger <tkryger@google.com>
2017-07-26 22:01:20 +02:00
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
Allow dumpstate to run iotop Test: adb bugreport Bug: 63629306 Change-Id: I7a366b199ddd0ec303dc25ca8c35764c5d7e3af8
2017-09-28 03:57:01 +02:00
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
Allow dumpstate to access netlink_generic_socket avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0 Bug: 68040531 Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c
2017-10-30 19:44:42 +01:00
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
Allow dumpstate to run iotop Test: adb bugreport Bug: 63629306 Change-Id: I7a366b199ddd0ec303dc25ca8c35764c5d7e3af8
2017-09-28 03:57:01 +02:00
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
###
### neverallow rules
###
dumpstate: assert no process ptrace dumpstate has CAP_SYS_PTRACE solely for the purpose of reading sensitive /proc/PID files, not for using ptrace attach. Add an assert to ensure that's the case. Test: policy compiles. Change-Id: I975308fae3f8e9a039b9efdc0e9605192b405ce7
2017-02-18 17:22:54 +01:00
# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
Adding a traceur_app domain to remove it from shell This CL creates a traceur_app domain with userdebug privileges akin to what shell has with regards to being able to find most services on device. Previously, traceur was running as shell which was an unintentional abuse of selinux architecture. Bug: 68126425 Test: Traceur functions outside of shell user privilege Change-Id: Ib5090e7e8225ad201b3ec24b506fe2717101d0f1
2017-12-12 01:19:23 +01:00
# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
domain
-system_server
-shell
userdebug_or_eng(`-traceur_app')
-dumpstate
} dumpstate_service:service_manager find;
dumpstate: talk to vibrator hal Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
2016-11-29 22:54:56 +01:00
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
neverallow dumpstate sysfs:file no_w_file_perms;
Reference in a new issue Copy permalink