platform_system_sepolicy/private/incident.te

typeattribute incident coredomain;

type incident_exec, system_file_type, exec_type, file_type;

# switch to incident domain for incident command
domain_auto_trans(shell, incident_exec, incident)
domain_auto_trans(dumpstate, incident_exec, incident)

# allow incident access to stdout from its parent shell.
allow incident shell:fd use;

# allow incident to communicate with dumpstate, and write incident report to
# /data/data/com.android.shell/files/bugreports/tmp_incident_report
allow incident dumpstate:fd use;
allow incident dumpstate:unix_stream_socket { read write };
allow incident shell_data_file:file write;

# allow incident be able to output data for CTS to fetch.
allow incident devpts:chr_file { read write };

# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
allow incident adbd:unix_stream_socket { read write };

# allow adbd to reap incident
allow incident adbd:process { sigchld };

# Allow the incident command to talk to the incidentd over the binder, and get
# back the incident report data from a ParcelFileDescriptor.
binder_use(incident)
allow incident incident_service:service_manager find;
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;

# only allow incident being called by shell or dumpstate
neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute incident coredomain;`

Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 19:21:37 +02:00			`type incident_exec, system_file_type, exec_type, file_type;`
Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906 2016-11-21 08:23:04 +01:00
			`# switch to incident domain for incident command`
			`domain_auto_trans(shell, incident_exec, incident)`
Allow dumpstate to call incident CLI Instead of relying on the regular iteration through the system services inside dumpstate, dumpstate now uses a dedicated incident CLI to capture incident report. This patch makes required SELinux changes to make it happen. Bug: 137493082 Test: Manually takes a bugreport from command line, power button, and BetterBug. Verifies /proto/incident_report.proto exists in the zip file, and no unintended avc denial. Change-Id: I0d93b015b7a9d32db4f3bf10d1c25e5a3ca04e48 2019-08-21 23:58:13 +02:00			`domain_auto_trans(dumpstate, incident_exec, incident)`
Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906 2016-11-21 08:23:04 +01:00
			`# allow incident access to stdout from its parent shell.`
			`allow incident shell:fd use;`

Allow dumpstate to call incident CLI Instead of relying on the regular iteration through the system services inside dumpstate, dumpstate now uses a dedicated incident CLI to capture incident report. This patch makes required SELinux changes to make it happen. Bug: 137493082 Test: Manually takes a bugreport from command line, power button, and BetterBug. Verifies /proto/incident_report.proto exists in the zip file, and no unintended avc denial. Change-Id: I0d93b015b7a9d32db4f3bf10d1c25e5a3ca04e48 2019-08-21 23:58:13 +02:00			`# allow incident to communicate with dumpstate, and write incident report to`
			`# /data/data/com.android.shell/files/bugreports/tmp_incident_report`
			`allow incident dumpstate:fd use;`
			`allow incident dumpstate:unix_stream_socket { read write };`
			`allow incident shell_data_file:file write;`

Add this rule allows incidentd CTS tests be able to use incident command to fetch data from shell. Bug: 72502621 Test: N/A Change-Id: I5b581f647c2f2932f0e3711965b98351ef7e6063 2018-01-31 21:33:57 +01:00			`# allow incident be able to output data for CTS to fetch.`
			`allow incident devpts:chr_file { read write };`

Add incident command and incidentd daemon se policy. Test: adb shell incident Bug: 31122534 Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906 2016-11-21 08:23:04 +01:00			`# allow incident to communicate use, read and write over the adb`
			`# connection.`
			`allow incident adbd:fd use;`
			`allow incident adbd:unix_stream_socket { read write };`

			`# allow adbd to reap incident`
			`allow incident adbd:process { sigchld };`

			`# Allow the incident command to talk to the incidentd over the binder, and get`
			`# back the incident report data from a ParcelFileDescriptor.`
			`binder_use(incident)`
			`allow incident incident_service:service_manager find;`
			`binder_call(incident, incidentd)`
			`allow incident incidentd:fifo_file write;`

Allow dumpstate to call incident CLI Instead of relying on the regular iteration through the system services inside dumpstate, dumpstate now uses a dedicated incident CLI to capture incident report. This patch makes required SELinux changes to make it happen. Bug: 137493082 Test: Manually takes a bugreport from command line, power button, and BetterBug. Verifies /proto/incident_report.proto exists in the zip file, and no unintended avc denial. Change-Id: I0d93b015b7a9d32db4f3bf10d1c25e5a3ca04e48 2019-08-21 23:58:13 +02:00			`# only allow incident being called by shell or dumpstate`
			`neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };`