tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/dumpstate.te

216 lines
6.7 KiB
Text
Raw Normal View History

initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# dumpstate
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 18:54:39 +01:00
type dumpstate, domain, domain_deprecated, mlstrustedsubject;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
Allow dumpstate to use wake_lock. (cherry picked from commit e123f06123dff9a3a4f5fc4ffd8b52162a91bb4e) b/30832947 Change-Id: Icd5117d655f1197524b39fe7bc1b11c4d920093c
2016-08-19 01:17:11 +02:00
wakelock_use(dumpstate)
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Dumpstate runs the same from shell as service. Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-01-29 21:11:55 +01:00
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid sys_resource };
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
Grant access to net_raw and net_admin to dumpstate. These capabilities are required so it can run iptables, otherwise it will cause failures such as: 06-20 16:19:02.650 5524 5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 06-20 16:56:57.119 5070 5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 BUG: 29455997 Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb
2016-06-20 19:01:53 +02:00
allow dumpstate self:capability {
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 17:38:29 +02:00
allow dumpstate toolbox_exec:file rx_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
eliminate some anr_data_file permissions. Init is now responsible for creating /data/anr, so it's unnecessary to grant system_server and dumpstate permissions to relabel this directory. Remove the excess permissions. Leave system_data_file relabelfrom, since it's possible we're still using it somewhere. See commits: https://android-review.googlesource.com/161650 https://android-review.googlesource.com/161477 https://android-review.googlesource.com/161638 Bug: 22385254 Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9
2015-08-13 02:01:57 +02:00
allow dumpstate anr_data_file:dir rw_dir_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
allow dumpstate anr_data_file:file create_file_perms;
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate kernel:system syslog_read;
dumpstate: allow pstore access Dumpstate reads from /sys/fs/pstore/console-ramoops when generating a bug report. Allow it. Addresses the following denials: <12>[ 2187.362750] type=1400 audit(1402346777.139:9): avc: denied { search } for pid=4155 comm="dumpstate" name="/" dev="pstore" ino=9954 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1 <12>[ 2187.363025] type=1400 audit(1402346777.139:10): avc: denied { getattr } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 <12>[ 2187.363185] type=1400 audit(1402346777.139:11): avc: denied { read } for pid=4155 comm="dumpstate" name="console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 <12>[ 2187.363321] type=1400 audit(1402346777.139:12): avc: denied { open } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1 Change-Id: Ia20b7a03ed8e0c61b023eea93415a50af82e1bbf
2014-06-09 22:19:36 +02:00
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 22:15:44 +02:00
allow dumpstate { appdomain ephemeral_app system_server }:process signal;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
2016-05-12 03:40:27 +02:00
allow dumpstate {
audioserver
cameraserver
drmserver
inputflinger
mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
}:process signal;
Allow dumpstate to dump backtraces of certain native processes. The list of processes comes from frameworks/native/cmds/dumpstate/utils.c. dumpstate calls dump_backtrace_to_file() for each such process, which asks debuggerd to dump the backtrace. Resolves denials such as: avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-08-01 16:15:24 +02:00
# Ask debuggerd for the backtraces of these processes.
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
2016-05-12 03:40:27 +02:00
allow dumpstate {
audioserver
cameraserver
drmserver
inputflinger
mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
}:debuggerd dump_backtrace;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
2016-06-14 22:41:47 +02:00
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
dumpstate: allow df on /storage/emulated dumpstate runs "df" on all mounted filesystems. Allow dumpstate to access /storage/emulated so df works. Addresses the following denial: avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
2015-04-07 00:24:51 +02:00
# df for /storage/emulated needs search
dumpstate: storage statistics Deal with a few audit failures Bug: 24200279 Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a
2015-12-10 01:27:36 +01:00
allow dumpstate { storage_file block_device }:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
Get rid of more auditallow spam Addresses the following audit messages: [ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr } for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2" ino=106324 scontext=u:r:init:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file [ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12428 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531176] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531465] type=1400 audit(1477751916.508:100): avc: granted { search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup" ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open } for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file [ 65.531827] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir [ 65.713056] type=1400 audit(1477751916.508:102): avc: granted { search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir Bug: 32246161 Test: policy compiles Test: dumpstate no longer generates the audit messages above. Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
2016-10-29 17:07:12 +02:00
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 22:15:44 +02:00
binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
dumpstate: talk to vibrator hal Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
2016-11-29 22:54:56 +01:00
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
Add hal_dumpstate attribute. - Also allow dumpstate to talk to hal_dumpstate. Bug: 31982882 Test: compiles Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-01 18:39:10 +01:00
binder_call(dumpstate, hal_dumpstate)
dumpstate: talk to vibrator hal Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
2016-11-29 22:54:56 +01:00
binder_call(dumpstate, hal_vibrator)
binder_call(dumpstate, hwservicemanager)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-14 07:19:45 +01:00
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
Allow dumpstate to write shell files Allow the bugreport service to create files in /data/data/com.android.shell/files/bugreports/bugreport . Addresses the following denials: <5>[31778.629368] type=1400 audit(1388876199.162:230): avc: denied { write } for pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629493] type=1400 audit(1388876199.162:231): avc: denied { add_name } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629622] type=1400 audit(1388876199.162:232): avc: denied { create } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629779] type=1400 audit(1388876199.162:233): avc: denied { write open } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629977] type=1400 audit(1388876199.162:234): avc: denied { getattr } for pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4
2014-01-06 04:20:10 +01:00
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
Fix denials triggered by adb shell screencap. Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 19:25:25 +01:00
allow dumpstate shell_data_file:dir create_dir_perms;
Allow dumpstate to write shell files Allow the bugreport service to create files in /data/data/com.android.shell/files/bugreports/bugreport . Addresses the following denials: <5>[31778.629368] type=1400 audit(1388876199.162:230): avc: denied { write } for pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629493] type=1400 audit(1388876199.162:231): avc: denied { add_name } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir <5>[31778.629622] type=1400 audit(1388876199.162:232): avc: denied { create } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629779] type=1400 audit(1388876199.162:233): avc: denied { write open } for pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[31778.629977] type=1400 audit(1388876199.162:234): avc: denied { getattr } for pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4
2014-01-06 04:20:10 +01:00
allow dumpstate shell_data_file:file create_file_perms;
Allow dumpstate to run am and shell. See http://code.google.com/p/android/issues/detail?id=65339 Further denials were observed in testing and allowed as well. Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-29 20:56:41 +01:00
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate self:process execmem;
# For art.
Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 20:18:43 +02:00
allow dumpstate libart_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:dir { search getattr };
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
Allow dumpstate to read symlink under dalvik-cache This fixes the following policy violation: avc: denied { read } pid=30295 comm="app_process" tcontext=u:object_r:dalvikcache_data_file:s0 scontext=u:r:dumpstate:s0 tclass=lnk_file permissive=0 ppid=26813 pcomm="dumpstate" pgid=26813 pgcomm="dumpstate" See 0e32726 in app.te for a symmetrical change. Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1
2015-03-23 08:31:13 +01:00
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-13 00:34:52 +01:00
Add btsnoop_hci.log to bugreport zip (2/2) Bug: 28672558 Test: Manual Change-Id: Ibee6e7e52eb6ee285b9ca0a5507d515eb3c54c0e
2016-09-15 00:50:32 +02:00
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
dumpstate: allow gpu_device access dumpstate calls screencap to take a screenshot. screencap requires the ability to access the gpu device. Allow it. Bug: 15514427 Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297
2014-06-09 21:51:42 +02:00
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-13 00:34:52 +01:00
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
Allow dumpstate to read the list of routing tables. Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
2014-07-09 00:46:52 +02:00
Get rid of auditallow spam. Fixes the following SELinux messages when running adb bugreport: avc: granted { read } for name="libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read execute } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { search } for name="arm64" dev="dm-2" ino=106290 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir avc: granted { read } for name="system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { read open } for path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2" ino=106318 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289 scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir [ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read } for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350399] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.350963] type=1400 audit(1477679159.734:131): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route" dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.351910] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353105] type=1400 audit(1477679159.734:134): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read } for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.354437] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file [ 169.395359] type=1400 audit(1477679159.734:137): avc: granted { getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6" dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file Test: policy compiles Test: adb bugreport runs without auditallow messages above. Bug: 32246161 Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 20:18:43 +02:00
# Read /proc/net
allow dumpstate proc_net:file r_file_perms;
Allow dumpstate to read the list of routing tables. Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
2014-07-09 00:46:52 +02:00
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
Further refined service_manager auditallow statements. Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 18:24:13 +02:00
Allow dumpstate to run ss. (cherry picked from commit 63c7ad6efbf2e64a8e5d41be581d769cf6c5c413) Bug: 23113288 Test: see http://ag/1476096 Change-Id: I3beb21f1af092c93eceb3d5115f823c1b993727d
2016-09-26 06:39:43 +02:00
# List sockets via ss.
Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. This fixes the build error: ===== libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl }; libsepol.check_assertions: 1 neverallow failures occurred ===== Which is caused, in AOSP and downstream branches, by I123e5d40955358665800fe3b86cd5f8dbaeb8717. Test: builds. Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
2016-09-27 16:24:13 +02:00
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
Allow dumpstate to run ss. (cherry picked from commit 63c7ad6efbf2e64a8e5d41be581d769cf6c5c413) Bug: 23113288 Test: see http://ag/1476096 Change-Id: I3beb21f1af092c93eceb3d5115f823c1b993727d
2016-09-26 06:39:43 +02:00
Allow dumpstate to read /data/tombstones. Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7
2014-07-23 03:39:04 +02:00
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2015-12-22 21:37:17 +01:00
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
dumpstate: access to /data/misc/recovery (cherry pick from commit 4bf9a47ea8b6f7fbe48f4cd511d79a066b8e79b7) Bug: 27176738 Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf
2016-03-25 21:34:11 +01:00
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
dumpstate: Change SELinux policy to allow reading /data/misc/profiles (cherry picked from commit cf63957db387484ffade53b040361bed3309098d) This is needed in order to include profile files in bugreports. Bug: 28610953 Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1
2016-06-03 16:43:50 +02:00
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
')
dumpstate: access /data/misc/logd (cherry pick from commit 745413387aa8d0476536e6b25000636c7153e2a7) Bug: 27965066 Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a
2016-04-01 18:58:39 +02:00
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
')
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service }:service_manager find;
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-31 00:21:50 +01:00
allow dumpstate servicemanager:service_manager list;
Dumpstate runs the same from shell as service. Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-01-29 21:11:55 +01:00
allow dumpstate devpts:chr_file rw_file_perms;
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-02 03:03:05 +01:00
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
Let system_server writes to dumpstate.options property. Currently, we define 4 hardcoded init services to launch dumpstate with different command-line options (since dumpstate must be launched by root): - bugreport - bugreportplus - bugreportwear - bugreportremote This approach does not scale well; a better option is to have just one service, and let the framework pass the extra arguments through a system property. BUG: 31649719 Test: manual Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
2016-09-21 19:44:11 +02:00
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
Add rules to allow dumpstate to run systrace. Cherry picked from 610f461ecf79865548a5a30e85d07d8cee87c14d (AOSP). BUG: 27419521 Change-Id: I63108468d75be3ef7f9761107a3df8997f207d07
2016-03-18 00:08:21 +01:00
Restrict access to ro.serialno and ro.boot.serialno This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-21 00:31:37 +01:00
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
Allow search/getattr access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: system_server, dumpstate, and bluetooth Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27932396 Change-Id: I294cfe23269b7959586252250f5527f13e60529b
2016-04-05 19:34:53 +02:00
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
restrict access to timing information in /proc These APIs expose sensitive information via timing side channels. This leaves access via the adb shell intact along with the current uses by dumpstate, init and system_server. The /proc/interrupts and /proc/stat files were covered in this paper: https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/ The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are also relevant. Access to /proc has been greatly restricted since then, with untrusted apps no longer having direct access to these, but stricter restrictions beyond that would be quite useful. Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-07-29 20:48:19 +02:00
allow dumpstate proc_interrupts:file r_file_perms;
fine-grained policy for access to /proc/zoneinfo Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f
2016-08-08 19:48:01 +02:00
allow dumpstate proc_zoneinfo:file r_file_perms;
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
# Create a service for talking back to system_server
allow dumpstate dumpstate_service:service_manager add;
###
### neverallow rules
###
# only dumpstate can add the dumpstate service
neverallow { domain -dumpstate } dumpstate_service:service_manager add;
# only system_server and shell can find the dumpstate service
neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
dumpstate: talk to vibrator hal Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
2016-11-29 22:54:56 +01:00
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
neverallow dumpstate sysfs:file no_w_file_perms;
Reference in a new issue Copy permalink