diff --git a/private/app.te b/private/app.te index 359c35411..d65fea4ee 100644 --- a/private/app.te +++ b/private/app.te @@ -109,10 +109,22 @@ allow appdomain shortcut_manager_icons:file { getattr read }; # Read icon file (opened by system). allow appdomain icon_file:file { getattr read }; -# Write to /data/anr/traces.txt. +# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). +# +# TODO: All of these permissions except for anr_data_file:file append can be +# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548 +# and the rules below. allow appdomain anr_data_file:dir search; allow appdomain anr_data_file:file { open append }; +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow apps to connect and write to the tombstoned java trace socket in +# order to dump their traces. +unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned) +allow appdomain tombstoned:fd use; + # Allow apps to send dump information to dumpstate allow appdomain dumpstate:fd use; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; diff --git a/private/file_contexts b/private/file_contexts index 5433ea869..fa27bd10e 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -146,6 +146,7 @@ /dev/socket/rild u:object_r:rild_socket:s0 /dev/socket/rild-debug u:object_r:rild_debug_socket:s0 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0 +/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0 /dev/socket/uncrypt u:object_r:uncrypt_socket:s0 /dev/socket/vold u:object_r:vold_socket:s0 diff --git a/private/system_server.te b/private/system_server.te index 5ada67e4d..240d9e551 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -300,9 +300,22 @@ allow system_server asec_apk_file:file create_file_perms; allow system_server asec_public_file:file create_file_perms; # Manage /data/anr. +# +# TODO: Some of these permissions can be withdrawn once we've switched to the +# new stack dumping mechanism, see b/32064548 and the rules below. In particular, +# the system_server should never need to create a new anr_data_file:file or write +# to one, but it will still need to read and append to existing files. allow system_server anr_data_file:dir create_dir_perms; allow system_server anr_data_file:file create_file_perms; +# New stack dumping scheme : request an output FD from tombstoned via a unix +# domain socket. +# +# Allow system_server to connect and write to the tombstoned java trace socket in +# order to dump its traces. +unix_socket_connect(system_server, tombstoned_java_trace, tombstoned) +allow system_server tombstoned:fd use; + # Read /data/misc/incidents - only read. The fd will be sent over binder, # with no DAC access to it, for dropbox to read. allow system_server incident_data_file:file read; diff --git a/public/domain.te b/public/domain.te index 958481f52..ed7403bba 100644 --- a/public/domain.te +++ b/public/domain.te @@ -481,14 +481,19 @@ neverallow { # Processes that can't exec crash_dump -mediacodec -mediaextractor -} tombstoned:unix_stream_socket connectto; +} tombstoned_crash_socket:unix_stream_socket connectto; + neverallow { domain -crash_dump -mediacodec -mediaextractor } tombstoned_crash_socket:sock_file write; + +# Never allow anyone except dumpstate or the system server to connect or write to +# the tombstoned intercept socket. neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write; +neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto; # Android does not support System V IPCs. # diff --git a/public/file.te b/public/file.te index 8a48dfe30..7e11c642a 100644 --- a/public/file.te +++ b/public/file.te @@ -243,6 +243,7 @@ type rild_debug_socket, file_type; type system_wpa_socket, file_type; type system_ndebug_socket, file_type, mlstrustedobject; type tombstoned_crash_socket, file_type, mlstrustedobject; +type tombstoned_java_trace_socket, file_type, mlstrustedobject; type tombstoned_intercept_socket, file_type; type uncrypt_socket, file_type; type vold_socket, file_type; diff --git a/public/tombstoned.te b/public/tombstoned.te index 37243bb66..cf3ddcba9 100644 --- a/public/tombstoned.te +++ b/public/tombstoned.te @@ -10,8 +10,13 @@ allow tombstoned domain:dir r_dir_perms; allow tombstoned domain:file r_file_perms; allow tombstoned tombstone_data_file:dir rw_dir_perms; allow tombstoned tombstone_data_file:file create_file_perms; -allow tombstoned anr_data_file:file { getattr append }; -# TODO: Find out why this is happening. -allow tombstoned anr_data_file:file write; -auditallow tombstoned anr_data_file:file write; +# TODO: Remove append / write permissions. They were temporarily +# granted due to a bug which appears to have been fixed. +allow tombstoned anr_data_file:file { append write }; +auditallow tombstoned anr_data_file:file { append write }; + +# Changes for the new stack dumping mechanism. Each trace goes into a +# separate file, and these files are managed by tombstoned. +allow tombstoned anr_data_file:dir rw_dir_perms; +allow tombstoned anr_data_file:file { getattr open create };