dmesgd: sepolicies

dmesgd is a daemon that collects kernel memory error reports.

When system_server notices that a kernel error occured, it sets the
dmesgd.start system property to 1, which results in init starting
dmesgd.

Once that happens, dmesgd runs `dmesg` and parses its output to collect
the last error report. That report, together with the headers containing
device- and build-specific information is stored in Dropbox.

Empirically, dmesgd needs the following permissions:
- execute shell (for popen()) and toolbox (for dmesg),
  read system_log (for dmesg)
- read /proc/version (to generate headers)
- perform Binder calls to servicemanager and system_server,
  find dropbox_service (for dropbox)
- create files in /data/misc/dmesgd (to store persistent state)

Bug: 215095687
Test: run dmesgd on a user device with injected KFENCE bugs
Change-Id: Iff21a2ffd99fc31b89a58ac774299b5e922721ea

private/dmesgd.te

@@ -0,0 +1,15 @@
+type dmesgd, domain, coredomain;
+type dmesgd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(dmesgd)
+
+allow dmesgd dmesgd_data_file:dir create_dir_perms;
+allow dmesgd dmesgd_data_file:file create_file_perms;
+
+allow dmesgd kernel:system syslog_read;
+allow dmesgd shell_exec:file rx_file_perms;
+allow dmesgd toolbox_exec:file rx_file_perms;
+binder_use(dmesgd)
+binder_call(dmesgd, system_server)
+allow dmesgd dropbox_service:service_manager find;
+allow dmesgd proc_version:file r_file_perms;

private/file.te

@@ -64,6 +64,9 @@ type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_d
 # /data/font/files
 type font_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc/dmesgd
+type dmesgd_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/odrefresh
 type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
 

private/file_contexts

@@ -291,6 +291,7 @@
 /system/bin/remount              u:object_r:remount_exec:s0
 /system/bin/dhcpcd      u:object_r:dhcp_exec:s0
 /system/bin/dhcpcd-6\.8\.2	u:object_r:dhcp_exec:s0
+/system/bin/dmesgd	u:object_r:dmesgd_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
 /system/bin/pppd	u:object_r:ppp_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
@@ -603,6 +604,7 @@
 /data/misc/carrierid(/.*)?      u:object_r:radio_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
 /data/misc/dhcp-6\.8\.2(/.*)?     u:object_r:dhcp_data_file:s0
+/data/misc/dmesgd(/.*)?         u:object_r:dmesgd_data_file:s0
 /data/misc/emergencynumberdb(/.*)?     u:object_r:emergency_data_file:s0
 /data/misc/gatekeeper(/.*)?     u:object_r:gatekeeper_data_file:s0
 /data/misc/incidents(/.*)?	    u:object_r:incident_data_file:s0

private/property.te

@@ -12,6 +12,7 @@ system_internal_prop(device_config_window_manager_native_boot_prop)
 system_internal_prop(device_config_configuration_prop)
 system_internal_prop(device_config_connectivity_prop)
 system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(dmesgd_start_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)

private/property_contexts

@@ -651,6 +651,8 @@ vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
 apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
 apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
 
+dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
+
 odsign.key.done u:object_r:odsign_prop:s0 exact bool
 odsign.verification.done u:object_r:odsign_prop:s0 exact bool
 odsign.verification.success u:object_r:odsign_prop:s0 exact bool

private/system_server.te

@@ -699,6 +699,7 @@ set_prop(system_server, boot_status_prop)
 set_prop(system_server, surfaceflinger_color_prop)
 set_prop(system_server, provisioned_prop)
 set_prop(system_server, retaildemo_prop)
+set_prop(system_server, dmesgd_start_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 
 # ctl interface