From 248f0e069a0419f1f8dbb547cf2f2cfff78323dc Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Fri, 17 May 2024 22:30:40 +0000 Subject: [PATCH] Update transaction log permissions. I locked down binderfs in Android V (this release still), but part of it was opened up too much, so transactions restricted to userdebug. transaction_log and failed_transaction_log are not used in AOSP, but they are requested by partners. Bug: 316970771 for transactions Bug: 336711420 for request to open up transaction history logs Test: boot, bugreport, also: :) adb shell ls -Z /dev/binderfs/binder_logs u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log u:object_r:binderfs_logs_proc:s0 proc u:object_r:binderfs_logs:s0 state u:object_r:binderfs_logs_stats:s0 stats u:object_r:binderfs_logs_transaction_history:s0 transaction_log u:object_r:binderfs_logs_transactions:s0 transactions :) adb shell cat /dev/binderfs/binder_logs/transaction_log 10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0 10058503: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0 10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0 10058505: call from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0 ... :) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log 26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194 57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465 57269: call from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465 57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465 ... Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f --- private/compat/202404/202404.ignore.cil | 1 + private/domain.te | 12 +++++++++++- private/dumpstate.te | 4 +++- private/genfs_contexts | 2 ++ private/system_server.te | 5 ++++- public/file.te | 1 + 6 files changed, 22 insertions(+), 3 deletions(-) diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil index e65136ef9..2a11a5508 100644 --- a/private/compat/202404/202404.ignore.cil +++ b/private/compat/202404/202404.ignore.cil @@ -9,6 +9,7 @@ fs_bpf_lmkd_memevents_rb fs_bpf_lmkd_memevents_prog binderfs_logs_transactions + binderfs_logs_transaction_history proc_compaction_proactiveness proc_cgroups )) diff --git a/private/domain.te b/private/domain.te index dfcc740a6..8257c041f 100644 --- a/private/domain.te +++ b/private/domain.te @@ -505,7 +505,17 @@ get_prop(domain, binder_cache_system_server_prop) get_prop(domain, binder_cache_telephony_server_prop) # Binderfs logs contain sensitive information about other processes. -neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms; +neverallow { + domain + -init + -vendor_init + userdebug_or_eng(`-dumpstate') + userdebug_or_eng(`-system_server') +} binderfs_logs_transactions:file no_rw_file_perms; + +# Binderfs transaction history is less sensitive than transactions, but it +# still contains global information about the system. +neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms; # Allow access to fsverity keyring. allow domain kernel:key search; diff --git a/private/dumpstate.te b/private/dumpstate.te index bccbafdd0..53a64739a 100644 --- a/private/dumpstate.te +++ b/private/dumpstate.te @@ -129,7 +129,9 @@ set_prop(dumpstate, ctl_gsid_prop) binder_call(dumpstate, gsid) #Allow access to /dev/binderfs/binder_logs -allow dumpstate binderfs_logs_transactions:file r_file_perms; +userdebug_or_eng(` + allow dumpstate binderfs_logs_transactions:file r_file_perms; +') r_dir_file(dumpstate, ota_metadata_file) diff --git a/private/genfs_contexts b/private/genfs_contexts index 23d62187e..ac59c9afc 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -309,6 +309,8 @@ genfscon binder /binder_logs u:object_r:binderfs_logs:s0 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0 genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0 genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0 +genfscon binder /binder_logs/transaction_log u:object_r:binderfs_logs_transaction_history:s0 +genfscon binder /binder_logs/failed_transaction_log u:object_r:binderfs_logs_transaction_history:s0 genfscon binder /features u:object_r:binderfs_features:s0 genfscon inotifyfs / u:object_r:inotify:s0 diff --git a/private/system_server.te b/private/system_server.te index 1ddb48a48..c3fc8ceaf 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1618,8 +1618,11 @@ set_prop(system_server, dalvik_dynamic_config_prop) # Allow system server to read binderfs allow system_server binderfs_logs:dir r_dir_perms; allow system_server binderfs_logs_stats:file r_file_perms; + # For ANRs -allow system_server binderfs_logs_transactions:file r_file_perms; +userdebug_or_eng(` + allow system_server binderfs_logs_transactions:file r_file_perms; +') # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled set_prop(system_server, game_manager_config_prop) diff --git a/public/file.te b/public/file.te index 34347cbb7..9f75f05d1 100644 --- a/public/file.te +++ b/public/file.te @@ -11,6 +11,7 @@ type binderfs_logs_stats, fs_type; starting_at_board_api(202504, ` type binderfs_logs_transactions, fs_type; + type binderfs_logs_transaction_history, fs_type; ') type binderfs_features, fs_type;