platform_system_sepolicy/public/dumpstate.te

306 lines
8.6 KiB
Text
Raw Normal View History

# dumpstate
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, system_file_type, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {
# This list comes from native_processes_to_dump in dumputils/dump_utils.c
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
sdcardd
surfaceflinger
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
}:process signal;
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# Access to /sys
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
sysfs_dm
sysfs_loop
sysfs_usb
sysfs_zram
}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# df for
allow dumpstate {
block_device
cache_file
metadata_file
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
rootfs
selinuxfs
storage_file
tmpfs
}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
Get rid of more auditallow spam Addresses the following audit messages: [ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr } for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2" ino=106324 scontext=u:r:init:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file [ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531176] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531465] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531827] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.713056] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir Bug: 32246161 Test: policy compiles Test: dumpstate no longer generates the audit messages above. Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
2016-10-29 17:07:12 +02:00
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
hal_client_domain(dumpstate, hal_dumpstate)
hal_client_domain(dumpstate, hal_graphics_allocator)
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
2014-01-06 04:20:10 +01:00
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
2014-01-06 04:20:10 +01:00
allow dumpstate shell_data_file:file create_file_perms;
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
dumpstate: remove domain_deprecated attribute Clean up "granted" logspam. Grant the observered audited permissions including: tcontext=cache_file avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { search } for comm="Binder:8559_2" name="cache" dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0" ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file tcontext=proc avc: granted { getattr } for comm="Binder:14529_2" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="Binder:22671_2" name="cmdline" dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="dumpstate" path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file tcontext=sysfs avc: granted { read open } for comm="Binder:14459_2" path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } for comm="Binder:21377_2" path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1" dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=dir avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file tcontext=proc_meminfo avc: granted { read } for comm="top" name="meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for comm="top" path="/proc/meminfo" dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file tcontext=rootfs avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs" ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file tcontext=selinuxfs avc: granted { getattr } for comm="df" path="/sys/fs/selinux" dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir tcontext=system_file avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw" dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_file:s0 tclass=dir tcontext=system_data_file avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables" dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables" scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build policy Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
2017-07-03 07:02:10 +02:00
# Read files in /proc
allow dumpstate {
proc_buddyinfo
proc_cmdline
proc_meminfo
proc_modules
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
proc_qtaguid_stat
proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
}:file r_file_perms;
Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 20:18:43 +02:00
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
#Access /data/misc/update_engine_log
allow dumpstate update_engine_log_data_file:dir r_dir_perms;
allow dumpstate update_engine_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
')
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
allow dumpstate {
service_manager_type
-apex_service
-dumpstate_service
-gatekeeper_service
-iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
apex_service
dumpstate_service
gatekeeper_service
iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
}:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
set_prop(dumpstate, exported_dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
# Read any system properties
get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file r_file_perms;
allow dumpstate proc_zoneinfo:file r_file_perms;
# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
# For when dumpstate runs df
dontaudit dumpstate mnt_vendor_file:dir search;
dontaudit dumpstate apex_mnt_dir:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
###
### neverallow rules
###
# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
domain
-system_server
-shell
-traceur_app
-dumpstate
} dumpstate_service:service_manager find;