Setting up SELinux policy for statsd and stats service

Bug: 63757906 Test: manual testing conducted Change-Id: Id03413ce82b5646d4bceddc59e16c7d5ee5bc193
2017-12-18 15:14:33 -08:00 · 2017-12-18 15:14:33 -08:00 · 2970845577
commit 2970845577
parent b73cd9f8df
9 changed files with 116 additions and 3 deletions
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -28,6 +28,13 @@
    package_native_service
    property_info
    slice_service
+    stats
+    stats_data_file
+    stats_exec
+    stats_service
+    statsd
+    statsd_exec
+    statsd_tmpfs
    statscompanion_service
    storaged_data_file
    sysfs_fs_ext4_features
--- a/private/file.te
+++ b/private/file.te
@ -1,6 +1,9 @@
 # /proc/config.gz
 type config_gz, fs_type;

+# /data/misc/stats-data, /data/misc/stats-service
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;

--- a/private/file_contexts
+++ b/private/file_contexts
@ -277,6 +277,8 @@
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
 /system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats                u:object_r:stats_exec:s0
+/system/bin/statsd               u:object_r:statsd_exec:s0

 #############################
 # Vendor files
@ -385,6 +387,8 @@
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
+/data/misc/stats-data(/.*)?     u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)?  u:object_r:stats_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
--- a/private/service.te
+++ b/private/service.te
@ -0,0 +1,2 @@
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -142,6 +142,7 @@ simphonebook2                             u:object_r:radio_service:s0
 simphonebook                              u:object_r:radio_service:s0
 sip                                       u:object_r:radio_service:s0
 slice                                     u:object_r:slice_service:s0
+stats                                     u:object_r:stats_service:s0
 statscompanion                            u:object_r:statscompanion_service:s0
 soundtrigger                              u:object_r:voiceinteraction_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
--- a/private/stats.te
+++ b/private/stats.te
@ -0,0 +1,25 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
--- a/private/statsd.te
+++ b/private/statsd.te
@ -0,0 +1,72 @@
+type statsd, domain;
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+#   /system/bin/toolbox
+#   /system/bin/logcat
+#   /system/bin/dumpsys
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, incidentd)
+binder_call(statsd, statscompanion_service)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+  statscompanion_service
+  app_api_service
+  system_api_service
+}:service_manager find;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, and stats command can find the stats service.
+neverallow {
+  domain
+  -dumpstate
+  -shell
+  -stats
+  -statsd
+  -system_app
+  -system_server
+} stats_service:service_manager find;
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+
--- a/private/system_server.te
+++ b/private/system_server.te
@ -169,6 +169,7 @@ binder_call(system_server, gatekeeperd)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
+binder_call(system_server, statsd)
 binder_call(system_server, storaged)
 binder_call(system_server, vold)
 binder_call(system_server, wificond)
@ -578,6 +579,7 @@ allow system_server mediadrmserver_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server vold_service:service_manager find;
@ -800,5 +802,3 @@ neverallow system_server { domain -system_server }:process ptrace;
 # file read access. However, that is now unnecessary (b/34951864)
 neverallow system_server system_server:global_capability_class_set sys_resource;

-# TODO(b/67468181): Remove following lines upon resolution of this bug
-dontaudit system_server statscompanion_service:service_manager { add find };
--- a/public/service.te
+++ b/public/service.te
@ -21,7 +21,6 @@ type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
-type statscompanion_service,    service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;