2013-12-14 07:19:45 +01:00
|
|
|
# dumpstate
|
2017-05-15 22:19:03 +02:00
|
|
|
type dumpstate, domain, mlstrustedsubject;
|
2018-09-27 19:21:37 +02:00
|
|
|
type dumpstate_exec, system_file_type, exec_type, file_type;
|
2013-12-14 07:19:45 +01:00
|
|
|
|
|
|
|
net_domain(dumpstate)
|
|
|
|
binder_use(dumpstate)
|
2016-08-19 01:17:11 +02:00
|
|
|
wakelock_use(dumpstate)
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2015-01-29 21:11:55 +01:00
|
|
|
# Allow setting process priority, protect from OOM killer, and dropping
|
|
|
|
# privileges by switching UID / GID
|
2017-11-09 23:51:26 +01:00
|
|
|
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
|
2013-12-14 07:19:45 +01:00
|
|
|
|
|
|
|
# Allow dumpstate to scan through /proc/pid for all processes
|
|
|
|
r_dir_file(dumpstate, domain)
|
|
|
|
|
2017-11-09 23:51:26 +01:00
|
|
|
allow dumpstate self:global_capability_class_set {
|
2016-06-20 19:01:53 +02:00
|
|
|
# Send signals to processes
|
|
|
|
kill
|
|
|
|
# Run iptables
|
|
|
|
net_raw
|
|
|
|
net_admin
|
|
|
|
};
|
2013-12-14 07:19:45 +01:00
|
|
|
|
|
|
|
# Allow executing files on system, such as:
|
|
|
|
# /system/bin/toolbox
|
|
|
|
# /system/bin/logcat
|
|
|
|
# /system/bin/dumpsys
|
|
|
|
allow dumpstate system_file:file execute_no_trans;
|
2017-04-14 06:58:12 +02:00
|
|
|
not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
|
2015-08-25 17:38:29 +02:00
|
|
|
allow dumpstate toolbox_exec:file rx_file_perms;
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2017-07-03 07:02:10 +02:00
|
|
|
# hidl searches for files in /system/lib(64)/hw/
|
|
|
|
allow dumpstate system_file:dir r_dir_perms;
|
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Create and write into /data/anr/
|
2018-09-07 00:19:40 +02:00
|
|
|
allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
|
2015-08-13 02:01:57 +02:00
|
|
|
allow dumpstate anr_data_file:dir rw_dir_perms;
|
2013-12-14 07:19:45 +01:00
|
|
|
allow dumpstate anr_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Allow reading /data/system/uiderrors.txt
|
|
|
|
# TODO: scope this down.
|
|
|
|
allow dumpstate system_data_file:file r_file_perms;
|
|
|
|
|
SEPolicy changes for public BugreportManager API.
Allow non-system apps to get an instance through
Context#getSystemService, and then dumpstate also needs permissions to
append to public apps' files.
Most carrier apps are not pre-installed, but we still want to allow them
to request connectivity bug reports, which are well-scoped to contain
limited PII and all info should directly relate to connectivity
(cellular/wifi/networking) debugging.
BugreportManager underneath validates that the calling app has carrier
privileges before actually starting the bug report routine. User consent
is requested for every bugreport requested by carrier apps.
Without the dumpstate.te change, the following error will occur:
01-14 20:08:52.394 1755 1755 I auditd : type=1400 audit(0.0:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
[ 1167.128552] type=1400 audit(1610654932.394:10): avc: denied { append } for comm="Binder:1755_16" path="/data/user/0/com.carrier.bugreportapp.public/files/bugreports/bugreport-2021-01-14-20-08-51.zip" dev="dm-8" ino=25218 scontext=u:r:dumpstate:s0 tcontext=u:object_r:app_data_file:s0:c7,c257,c512,c768 tclass=file permissive=0
Bug: 161393541
Test: atest CtsCarrierApiTestCases:BugreportManagerTest
Change-Id: I443b1f6cd96223ed600c4006bc344c2a8663fdc7
2020-12-08 21:11:03 +01:00
|
|
|
# Allow dumpstate to append into apps' private files.
|
|
|
|
allow dumpstate { privapp_data_file app_data_file }:file append;
|
2019-01-18 17:02:57 +01:00
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Read dmesg
|
2017-11-09 23:51:26 +01:00
|
|
|
allow dumpstate self:global_capability2_class_set syslog;
|
2013-12-14 07:19:45 +01:00
|
|
|
allow dumpstate kernel:system syslog_read;
|
|
|
|
|
2014-06-09 22:19:36 +02:00
|
|
|
# Read /sys/fs/pstore/console-ramoops
|
|
|
|
allow dumpstate pstorefs:dir r_dir_perms;
|
|
|
|
allow dumpstate pstorefs:file r_file_perms;
|
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Get process attributes
|
|
|
|
allow dumpstate domain:process getattr;
|
|
|
|
|
|
|
|
# Signal java processes to dump their stack
|
2019-04-09 17:33:40 +02:00
|
|
|
allow dumpstate { appdomain system_server zygote }:process signal;
|
2013-12-14 07:19:45 +01:00
|
|
|
|
|
|
|
# Signal native processes to dump their stack.
|
2016-05-12 03:40:27 +02:00
|
|
|
allow dumpstate {
|
2018-03-13 00:21:40 +01:00
|
|
|
# This list comes from native_processes_to_dump in dumputils/dump_utils.c
|
2016-05-12 03:40:27 +02:00
|
|
|
audioserver
|
|
|
|
cameraserver
|
|
|
|
drmserver
|
|
|
|
inputflinger
|
|
|
|
mediadrmserver
|
|
|
|
mediaextractor
|
2018-01-04 22:11:37 +01:00
|
|
|
mediametrics
|
2016-05-12 03:40:27 +02:00
|
|
|
mediaserver
|
2019-04-19 21:13:33 +02:00
|
|
|
mediaswcodec
|
2016-05-12 03:40:27 +02:00
|
|
|
sdcardd
|
|
|
|
surfaceflinger
|
2019-05-20 14:51:54 +02:00
|
|
|
vold
|
2017-03-21 23:58:16 +01:00
|
|
|
|
2018-03-13 00:21:40 +01:00
|
|
|
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
|
2017-03-21 23:58:16 +01:00
|
|
|
hal_audio_server
|
2020-07-31 00:31:41 +02:00
|
|
|
hal_audiocontrol_server
|
2017-03-21 23:58:16 +01:00
|
|
|
hal_bluetooth_server
|
|
|
|
hal_camera_server
|
2019-04-30 14:09:28 +02:00
|
|
|
hal_codec2_server
|
2018-04-03 02:28:51 +02:00
|
|
|
hal_drm_server
|
2020-07-31 00:31:41 +02:00
|
|
|
hal_evs_server
|
2019-06-19 20:12:11 +02:00
|
|
|
hal_face_server
|
2020-03-03 09:10:39 +01:00
|
|
|
hal_fingerprint_server
|
2018-08-10 00:56:09 +02:00
|
|
|
hal_graphics_allocator_server
|
2017-04-20 23:34:00 +02:00
|
|
|
hal_graphics_composer_server
|
2018-11-28 02:35:31 +01:00
|
|
|
hal_health_server
|
2020-01-23 13:40:01 +01:00
|
|
|
hal_neuralnetworks_server
|
2018-05-26 01:23:37 +02:00
|
|
|
hal_omx_server
|
2019-04-23 22:31:48 +02:00
|
|
|
hal_power_server
|
2019-04-09 01:11:14 +02:00
|
|
|
hal_power_stats_server
|
2017-09-26 21:58:29 +02:00
|
|
|
hal_sensors_server
|
2019-04-23 22:31:48 +02:00
|
|
|
hal_thermal_server
|
2020-07-31 00:31:41 +02:00
|
|
|
hal_vehicle_server
|
2017-03-21 23:58:16 +01:00
|
|
|
hal_vr_server
|
2019-06-28 04:37:42 +02:00
|
|
|
system_suspend_server
|
2016-05-12 03:40:27 +02:00
|
|
|
}:process signal;
|
2016-10-19 23:39:30 +02:00
|
|
|
|
|
|
|
# Connect to tombstoned to intercept dumps.
|
|
|
|
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2018-01-18 00:59:48 +01:00
|
|
|
# Access to /sys
|
|
|
|
allow dumpstate sysfs_type:dir r_dir_perms;
|
|
|
|
|
|
|
|
allow dumpstate {
|
2019-03-01 21:35:48 +01:00
|
|
|
sysfs_devices_block
|
2018-01-18 00:59:48 +01:00
|
|
|
sysfs_dm
|
2019-01-02 18:22:10 +01:00
|
|
|
sysfs_loop
|
2018-01-18 00:59:48 +01:00
|
|
|
sysfs_usb
|
|
|
|
sysfs_zram
|
|
|
|
}:file r_file_perms;
|
2016-06-14 22:41:47 +02:00
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Other random bits of data we want to collect
|
2021-05-05 07:01:51 +02:00
|
|
|
no_debugfs_restriction(`
|
|
|
|
allow dumpstate debugfs:file r_file_perms;
|
|
|
|
auditallow dumpstate debugfs:file r_file_perms;
|
2017-07-03 07:02:10 +02:00
|
|
|
|
2021-05-05 07:01:51 +02:00
|
|
|
allow dumpstate debugfs_mmc:file r_file_perms;
|
|
|
|
')
|
2019-03-01 21:35:48 +01:00
|
|
|
|
2017-07-03 07:02:10 +02:00
|
|
|
# df for
|
|
|
|
allow dumpstate {
|
|
|
|
block_device
|
|
|
|
cache_file
|
2018-05-13 19:09:20 +02:00
|
|
|
metadata_file
|
2017-07-03 07:02:10 +02:00
|
|
|
rootfs
|
|
|
|
selinuxfs
|
|
|
|
storage_file
|
|
|
|
tmpfs
|
|
|
|
}:dir { search getattr };
|
2015-12-10 01:27:36 +01:00
|
|
|
allow dumpstate fuse_device:chr_file getattr;
|
|
|
|
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
|
2017-07-03 07:02:10 +02:00
|
|
|
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2016-10-29 17:07:12 +02:00
|
|
|
# Read /dev/cpuctl and /dev/cpuset
|
|
|
|
r_dir_file(dumpstate, cgroup)
|
2021-02-12 00:18:11 +01:00
|
|
|
r_dir_file(dumpstate, cgroup_v2)
|
2016-10-29 17:07:12 +02:00
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Allow dumpstate to make binder calls to any binder service
|
|
|
|
binder_call(dumpstate, binderservicedomain)
|
2017-01-19 19:56:18 +01:00
|
|
|
binder_call(dumpstate, { appdomain netd wificond })
|
2013-12-14 07:19:45 +01:00
|
|
|
|
2022-02-16 00:17:50 +01:00
|
|
|
# Allow dumpstate to call dump() on specific hals.
|
2020-01-23 13:40:01 +01:00
|
|
|
dump_hal(hal_dumpstate)
|
|
|
|
dump_hal(hal_wifi)
|
|
|
|
dump_hal(hal_graphics_allocator)
|
2020-07-31 22:35:27 +02:00
|
|
|
dump_hal(hal_light)
|
2020-01-23 13:40:01 +01:00
|
|
|
dump_hal(hal_neuralnetworks)
|
2021-10-29 09:51:15 +02:00
|
|
|
dump_hal(hal_nfc)
|
2020-05-18 04:19:02 +02:00
|
|
|
dump_hal(hal_thermal)
|
|
|
|
dump_hal(hal_power)
|
|
|
|
dump_hal(hal_power_stats)
|
2020-06-24 04:13:51 +02:00
|
|
|
dump_hal(hal_identity)
|
2020-11-16 22:51:05 +01:00
|
|
|
dump_hal(hal_face)
|
|
|
|
dump_hal(hal_fingerprint)
|
|
|
|
dump_hal(hal_gnss)
|
2021-09-22 20:44:49 +02:00
|
|
|
dump_hal(hal_contexthub)
|
2022-02-25 02:03:59 +01:00
|
|
|
dump_hal(hal_drm)
|
2020-05-18 04:19:02 +02:00
|
|
|
|
2017-04-14 04:05:27 +02:00
|
|
|
# Vibrate the device after we are done collecting the bugreport
|
2017-03-17 02:48:40 +01:00
|
|
|
hal_client_domain(dumpstate, hal_vibrator)
|
2016-11-29 22:54:56 +01:00
|
|
|
|
2013-12-14 07:19:45 +01:00
|
|
|
# Reading /proc/PID/maps of other processes
|
2017-11-09 23:51:26 +01:00
|
|
|
allow dumpstate self:global_capability_class_set sys_ptrace;
|
2014-01-06 04:20:10 +01:00
|
|
|
|
|
|
|
# Allow the bugreport service to create a file in
|
|
|
|
# /data/data/com.android.shell/files/bugreports/bugreport
|
2014-01-07 19:25:25 +01:00
|
|
|
allow dumpstate shell_data_file:dir create_dir_perms;
|
2014-01-06 04:20:10 +01:00
|
|
|
allow dumpstate shell_data_file:file create_file_perms;
|
2014-01-29 20:56:41 +01:00
|
|
|
|
|
|
|
# Run a shell.
|
|
|
|
allow dumpstate shell_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
# For running am and similar framework commands.
|
|
|
|
# Run /system/bin/app_process.
|
|
|
|
allow dumpstate zygote_exec:file rx_file_perms;
|
2013-11-13 00:34:52 +01:00
|
|
|
|
2016-09-15 00:50:32 +02:00
|
|
|
# For Bluetooth
|
|
|
|
allow dumpstate bluetooth_data_file:dir search;
|
|
|
|
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
|
|
|
|
|
2020-07-08 11:09:49 +02:00
|
|
|
# For Nfc
|
|
|
|
allow dumpstate nfc_logs_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate nfc_logs_data_file:file r_file_perms;
|
|
|
|
|
2017-09-05 19:07:29 +02:00
|
|
|
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
|
|
|
|
allow dumpstate gpu_device:chr_file rw_file_perms;
|
|
|
|
|
2013-11-13 00:34:52 +01:00
|
|
|
# logd access
|
|
|
|
read_logd(dumpstate)
|
|
|
|
control_logd(dumpstate)
|
2016-11-08 00:11:39 +01:00
|
|
|
read_runtime_log_tags(dumpstate)
|
2014-07-09 00:46:52 +02:00
|
|
|
|
2017-07-03 07:02:10 +02:00
|
|
|
# Read files in /proc
|
2017-11-15 01:32:36 +01:00
|
|
|
allow dumpstate {
|
2018-01-18 00:59:48 +01:00
|
|
|
proc_buddyinfo
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_cmdline
|
|
|
|
proc_meminfo
|
2018-01-18 00:59:48 +01:00
|
|
|
proc_modules
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
proc_net_type
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_pipe_conf
|
|
|
|
proc_pagetypeinfo
|
2018-04-03 18:53:23 +02:00
|
|
|
proc_qtaguid_ctrl
|
2018-01-18 00:59:48 +01:00
|
|
|
proc_qtaguid_stat
|
2018-06-14 16:34:19 +02:00
|
|
|
proc_slabinfo
|
2017-11-15 01:32:36 +01:00
|
|
|
proc_version
|
|
|
|
proc_vmallocinfo
|
2018-01-18 00:59:48 +01:00
|
|
|
proc_vmstat
|
2017-11-15 01:32:36 +01:00
|
|
|
}:file r_file_perms;
|
2016-10-28 20:18:43 +02:00
|
|
|
|
2014-07-09 00:46:52 +02:00
|
|
|
# Read network state info files.
|
|
|
|
allow dumpstate net_data_file:dir search;
|
|
|
|
allow dumpstate net_data_file:file r_file_perms;
|
2014-07-18 18:24:13 +02:00
|
|
|
|
2016-09-26 06:39:43 +02:00
|
|
|
# List sockets via ss.
|
2016-09-27 16:24:13 +02:00
|
|
|
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
|
2016-09-26 06:39:43 +02:00
|
|
|
|
2014-07-23 03:39:04 +02:00
|
|
|
# Access /data/tombstones.
|
|
|
|
allow dumpstate tombstone_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate tombstone_data_file:file r_file_perms;
|
|
|
|
|
2015-12-22 21:37:17 +01:00
|
|
|
# Access /cache/recovery
|
|
|
|
allow dumpstate cache_recovery_file:dir r_dir_perms;
|
|
|
|
allow dumpstate cache_recovery_file:file r_file_perms;
|
|
|
|
|
2016-03-25 21:34:11 +01:00
|
|
|
# Access /data/misc/recovery
|
|
|
|
allow dumpstate recovery_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate recovery_data_file:file r_file_perms;
|
|
|
|
|
2018-04-12 01:44:00 +02:00
|
|
|
#Access /data/misc/update_engine_log
|
|
|
|
allow dumpstate update_engine_log_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate update_engine_log_data_file:file r_file_perms;
|
|
|
|
|
2016-06-03 16:43:50 +02:00
|
|
|
# Access /data/misc/profiles/{cur,ref}/
|
|
|
|
userdebug_or_eng(`
|
2020-12-04 15:07:52 +01:00
|
|
|
allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
|
2016-06-03 16:43:50 +02:00
|
|
|
allow dumpstate user_profile_data_file:file r_file_perms;
|
|
|
|
')
|
|
|
|
|
2016-04-01 18:58:39 +02:00
|
|
|
# Access /data/misc/logd
|
2019-07-08 22:17:03 +02:00
|
|
|
allow dumpstate misc_logd_file:dir r_dir_perms;
|
|
|
|
allow dumpstate misc_logd_file:file r_file_perms;
|
2016-04-01 18:58:39 +02:00
|
|
|
|
2020-01-02 09:14:48 +01:00
|
|
|
# Access /data/misc/prereboot
|
|
|
|
allow dumpstate prereboot_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate prereboot_data_file:file r_file_perms;
|
|
|
|
|
2019-01-07 21:45:56 +01:00
|
|
|
allow dumpstate app_fuse_file:dir r_dir_perms;
|
|
|
|
allow dumpstate overlayfs_file:dir r_dir_perms;
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
allow dumpstate {
|
|
|
|
service_manager_type
|
2018-08-17 09:35:42 +02:00
|
|
|
-apex_service
|
2017-09-26 21:58:29 +02:00
|
|
|
-dumpstate_service
|
|
|
|
-gatekeeper_service
|
2022-02-16 00:17:50 +01:00
|
|
|
-hal_service_type
|
2017-09-26 21:58:29 +02:00
|
|
|
-virtual_touchpad_service
|
|
|
|
-vold_service
|
2020-01-21 19:18:57 +01:00
|
|
|
-default_android_service
|
2017-09-26 21:58:29 +02:00
|
|
|
}:service_manager find;
|
2017-10-20 21:32:41 +02:00
|
|
|
# suppress denials for services dumpstate should not be accessing.
|
|
|
|
dontaudit dumpstate {
|
2018-10-11 02:56:00 +02:00
|
|
|
apex_service
|
2017-10-20 21:32:41 +02:00
|
|
|
dumpstate_service
|
|
|
|
gatekeeper_service
|
2022-02-16 00:17:50 +01:00
|
|
|
hal_service_type
|
2017-10-20 21:32:41 +02:00
|
|
|
virtual_touchpad_service
|
|
|
|
vold_service
|
|
|
|
}:service_manager find;
|
|
|
|
|
2019-02-04 18:04:05 +01:00
|
|
|
# Most of these are neverallowed.
|
|
|
|
dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
|
|
|
|
|
2014-12-31 00:21:50 +01:00
|
|
|
allow dumpstate servicemanager:service_manager list;
|
2017-04-21 19:13:28 +02:00
|
|
|
allow dumpstate hwservicemanager:hwservice_manager list;
|
2015-01-29 21:11:55 +01:00
|
|
|
|
|
|
|
allow dumpstate devpts:chr_file rw_file_perms;
|
2015-12-02 03:03:05 +01:00
|
|
|
|
2018-04-05 20:32:58 +02:00
|
|
|
# Read any system properties
|
|
|
|
get_prop(dumpstate, property_type)
|
2017-08-14 23:25:10 +02:00
|
|
|
|
2016-04-05 19:34:53 +02:00
|
|
|
# Access to /data/media.
|
|
|
|
# This should be removed if sdcardfs is modified to alter the secontext for its
|
|
|
|
# accesses to the underlying FS.
|
|
|
|
allow dumpstate media_rw_data_file:dir getattr;
|
2016-07-29 20:48:19 +02:00
|
|
|
allow dumpstate proc_interrupts:file r_file_perms;
|
2016-08-08 19:48:01 +02:00
|
|
|
allow dumpstate proc_zoneinfo:file r_file_perms;
|
2016-10-29 00:52:15 +02:00
|
|
|
|
|
|
|
# Create a service for talking back to system_server
|
2017-01-19 22:23:52 +01:00
|
|
|
add_service(dumpstate, dumpstate_service)
|
2016-10-29 00:52:15 +02:00
|
|
|
|
2017-07-03 02:03:44 +02:00
|
|
|
# use /dev/ion for screen capture
|
|
|
|
allow dumpstate ion_device:chr_file r_file_perms;
|
|
|
|
|
2017-07-26 22:01:20 +02:00
|
|
|
# Allow dumpstate to run top
|
|
|
|
allow dumpstate proc_stat:file r_file_perms;
|
|
|
|
|
2019-10-01 00:51:16 +02:00
|
|
|
allow dumpstate proc_pressure_cpu:file r_file_perms;
|
|
|
|
allow dumpstate proc_pressure_mem:file r_file_perms;
|
|
|
|
allow dumpstate proc_pressure_io:file r_file_perms;
|
|
|
|
|
2020-11-10 07:12:38 +01:00
|
|
|
# Allow dumpstate to run ps
|
|
|
|
allow dumpstate proc_pid_max:file r_file_perms;
|
|
|
|
|
2017-07-26 22:01:20 +02:00
|
|
|
# Allow dumpstate to talk to installd over binder
|
|
|
|
binder_call(dumpstate, installd);
|
|
|
|
|
2020-03-27 19:40:38 +01:00
|
|
|
# Allow dumpstate to talk to iorapd over binder.
|
|
|
|
binder_call(dumpstate, iorapd)
|
|
|
|
|
2017-07-26 22:01:20 +02:00
|
|
|
# Allow dumpstate to run ip xfrm policy
|
|
|
|
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
|
|
|
|
|
2017-09-28 03:57:01 +02:00
|
|
|
# Allow dumpstate to run iotop
|
|
|
|
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
|
2017-10-30 19:44:42 +01:00
|
|
|
# newer kernels (e.g. 4.4) have a new class for sockets
|
|
|
|
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
|
2017-09-28 03:57:01 +02:00
|
|
|
|
2018-09-11 00:48:34 +02:00
|
|
|
# Allow dumpstate to run ss
|
|
|
|
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
|
|
|
|
|
2020-02-04 11:45:19 +01:00
|
|
|
# Allow dumpstate to read linkerconfig directory
|
|
|
|
allow dumpstate linkerconfig_file:dir { read open };
|
|
|
|
|
2018-09-11 00:48:34 +02:00
|
|
|
# For when dumpstate runs df
|
2019-12-19 17:36:24 +01:00
|
|
|
dontaudit dumpstate {
|
|
|
|
mnt_vendor_file
|
|
|
|
mirror_data_file
|
2020-02-06 10:29:59 +01:00
|
|
|
mnt_user_file
|
2019-12-19 17:36:24 +01:00
|
|
|
}:dir search;
|
|
|
|
dontaudit dumpstate {
|
|
|
|
apex_mnt_dir
|
2020-02-04 06:17:35 +01:00
|
|
|
linkerconfig_file
|
2019-12-19 17:36:24 +01:00
|
|
|
mirror_data_file
|
2020-02-06 10:29:59 +01:00
|
|
|
mnt_user_file
|
2019-12-19 17:36:24 +01:00
|
|
|
}:dir getattr;
|
2018-10-11 02:56:00 +02:00
|
|
|
|
|
|
|
# Allow dumpstate to talk to bufferhubd over binder
|
|
|
|
binder_call(dumpstate, bufferhubd);
|
2018-09-11 00:48:34 +02:00
|
|
|
|
2018-10-22 21:39:28 +02:00
|
|
|
# Allow dumpstate to talk to mediaswcodec over binder
|
|
|
|
binder_call(dumpstate, mediaswcodec);
|
|
|
|
|
2020-02-06 03:06:51 +01:00
|
|
|
# Allow dumpstate to talk to these stable AIDL services over binder
|
|
|
|
binder_call(dumpstate, hal_rebootescrow_server)
|
|
|
|
allow hal_rebootescrow_server dumpstate:fifo_file write;
|
|
|
|
allow hal_rebootescrow_server dumpstate:fd use;
|
|
|
|
|
2021-02-01 21:36:41 +01:00
|
|
|
binder_call(dumpstate, hal_authsecret_server)
|
|
|
|
allow hal_authsecret_server dumpstate:fifo_file write;
|
|
|
|
allow hal_authsecret_server dumpstate:fd use;
|
|
|
|
|
|
|
|
binder_call(dumpstate, hal_keymint_server)
|
|
|
|
allow hal_keymint_server dumpstate:fifo_file write;
|
|
|
|
allow hal_keymint_server dumpstate:fd use;
|
|
|
|
|
|
|
|
binder_call(dumpstate, hal_memtrack_server)
|
|
|
|
allow hal_memtrack_server dumpstate:fifo_file write;
|
|
|
|
allow hal_memtrack_server dumpstate:fd use;
|
|
|
|
|
|
|
|
binder_call(dumpstate, hal_oemlock_server)
|
|
|
|
allow hal_oemlock_server dumpstate:fifo_file write;
|
|
|
|
allow hal_oemlock_server dumpstate:fd use;
|
|
|
|
|
|
|
|
binder_call(dumpstate, hal_weaver_server)
|
|
|
|
allow hal_weaver_server dumpstate:fifo_file write;
|
|
|
|
allow hal_weaver_server dumpstate:fd use;
|
|
|
|
|
2020-02-04 02:01:49 +01:00
|
|
|
#Access /data/misc/snapshotctl_log
|
|
|
|
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
|
|
|
|
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
|
|
|
|
|
2020-02-10 00:12:09 +01:00
|
|
|
#Allow access to /dev/binderfs/binder_logs
|
|
|
|
allow dumpstate binderfs_logs:dir r_dir_perms;
|
|
|
|
allow dumpstate binderfs_logs:file r_file_perms;
|
2021-03-18 06:46:27 +01:00
|
|
|
allow dumpstate binderfs_logs_proc:file r_file_perms;
|
2020-02-10 00:12:09 +01:00
|
|
|
|
2020-07-31 22:39:11 +02:00
|
|
|
allow dumpstate apex_info_file:file getattr;
|
|
|
|
|
2016-10-29 00:52:15 +02:00
|
|
|
###
|
|
|
|
### neverallow rules
|
|
|
|
###
|
|
|
|
|
2017-02-18 17:22:54 +01:00
|
|
|
# dumpstate has capability sys_ptrace, but should only use that capability for
|
|
|
|
# accessing sensitive /proc/PID files, never for using ptrace attach.
|
|
|
|
neverallow dumpstate *:process ptrace;
|
|
|
|
|
2017-12-12 01:19:23 +01:00
|
|
|
# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-system_server
|
|
|
|
-shell
|
2018-01-09 21:24:47 +01:00
|
|
|
-traceur_app
|
2017-12-12 01:19:23 +01:00
|
|
|
-dumpstate
|
|
|
|
} dumpstate_service:service_manager find;
|