2016-01-19 19:54:20 +01:00
|
|
|
# bootstat command
|
|
|
|
type bootstat, domain;
|
2018-09-27 19:21:37 +02:00
|
|
|
type bootstat_exec, system_file_type, exec_type, file_type;
|
2016-01-19 19:54:20 +01:00
|
|
|
|
2016-11-08 00:11:39 +01:00
|
|
|
read_runtime_log_tags(bootstat)
|
|
|
|
|
2016-01-19 19:54:20 +01:00
|
|
|
# Allow persistent storage in /data/misc/bootstat.
|
|
|
|
allow bootstat bootstat_data_file:dir rw_dir_perms;
|
|
|
|
allow bootstat bootstat_data_file:file create_file_perms;
|
2016-01-26 01:23:10 +01:00
|
|
|
|
2016-12-14 04:50:36 +01:00
|
|
|
# Collect metrics on boot time created by init
|
|
|
|
get_prop(bootstat, boottime_prop)
|
2017-08-14 23:25:10 +02:00
|
|
|
|
2017-08-04 22:59:04 +02:00
|
|
|
# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
|
|
|
|
set_prop(bootstat, bootloader_boot_reason_prop)
|
|
|
|
set_prop(bootstat, system_boot_reason_prop)
|
|
|
|
set_prop(bootstat, last_boot_reason_prop)
|
|
|
|
|
|
|
|
# ToDo: TBI move access for the following to a system health HAL
|
|
|
|
|
|
|
|
# Allow access to /sys/fs/pstore/ and syslog
|
|
|
|
allow bootstat pstorefs:dir search;
|
|
|
|
allow bootstat pstorefs:file r_file_perms;
|
|
|
|
allow bootstat kernel:system syslog_read;
|
|
|
|
|
|
|
|
# Allow access to reading the logs to read aspects of system health
|
|
|
|
read_logd(bootstat)
|
|
|
|
|
|
|
|
# ToDo: end
|
bootstat: lock down *_boot_reason_prop
Add series of neverallow rules to restrict components from reading or
writing bootloader_boot_reason_prop, system_boot_reason_prop and
last_boot_reason_prop to trusted set of domains.
The policy is that bootloader_boot_reason_prop (ro.boot.bootreason)
has a compliance issue due to the sheer momentum of near unparseable
content as filed by the wide variety (8000 different devices at last
count) bootloaders and is only to be accessible to a series of
responsible system components. It can be inaccurate as it provides
no means to evaluate a shutdown, likely reporting "cold" (from
initial power up) or the more generic "reboot".
The last_boot_reason_prop (persist.sys.boot.reason) contains
inaccurate information as it is only valid after a controlled reboot
or shutdown. The value can linger around after less controlled
scenarios. Since the information could be false, we do not want to
support it as an open API, so we again block access to only
responsible components.
The system_boot_reason_prop (sys.boot.reason) is a canonical boot
reason that takes into account parsing bootloader_boot_reason_prop,
boot_loader_boot_reason_prop and other system and HAL generated hints
to determine a parseable and most accurate reason for the last time
the system was rebooted.
For now the policy for system_boot_reason_prop is to audit users of
the API, and on a need to know basis via device additions to the
selinux rules. If vendors need their components to access the boot
reason, they need to comply first with CTS tests and spirit with
regards to controlled reboot messaging and in turn read the
system_boot_reason_prop for the canonical information. It will
contain validated content derived from bootloader_boot_reason_prop
in the scenarios that count.
The controlled reboot APIs include:
- android_reboot(ANDROID_RB_<TYPE>, int flag, const char* reason)
- PowerManagerService.lowLevelShutdown(String reason);
- PowerManagerService.lowLevelReboot(String reason);
- ShutdownThread.shutdown(context, String reason, boolean confirm);
- ShutdownThread.reboot(context, String reason, boolean confirm);
- PowerManager.shutdown(boolean confirm, String reason, boolean wait);
- PowerManager.reboot(String reason);
Any others (including the direct linux reboot syscall) create
problems for generating an accurate canonical boot reason.
Test: compile
Bug: 63736262
Bug: 65686279
Change-Id: I2e5e55bbea1c383c06472eb2989237cfeb852030
2017-09-13 23:01:25 +02:00
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-bootanim
|
|
|
|
-bootstat
|
|
|
|
-dumpstate
|
|
|
|
-init
|
|
|
|
-recovery
|
|
|
|
-shell
|
|
|
|
-system_server
|
|
|
|
} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
|
|
|
|
# ... and refine, as these components should not set the last boot reason
|
|
|
|
neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-bootstat
|
|
|
|
-init
|
|
|
|
-system_server
|
|
|
|
} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
|
|
|
|
# ... and refine ... for a ro propertly no less ... keep this _tight_
|
|
|
|
neverallow system_server bootloader_boot_reason_prop:property_service set;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-bootstat
|
|
|
|
-init
|
|
|
|
} system_boot_reason_prop:property_service set;
|