Allow system_server to read binderfs state file
This is for more information on binder threads during ANRs. Test: adb shell am hang Bug: 316970771 Change-Id: I905c8b605540aabb7463cb0e1b3a9a8b07f8d5cb
This commit is contained in:
Devin Moore
parent
e98c6d2b38
commit
9645657201
6 changed files with 11 additions and 0 deletions
|
|
@ -8,4 +8,5 @@
|
|||
profcollectd_etr_prop
|
||||
fs_bpf_lmkd_memevents_rb
|
||||
fs_bpf_lmkd_memevents_prog
|
||||
binderfs_logs_transactions
|
||||
))
|
||||
|
|
|
|||
|
|
@ -156,6 +156,9 @@ get_prop(domain, binder_cache_bluetooth_server_prop)
|
|||
get_prop(domain, binder_cache_system_server_prop)
|
||||
get_prop(domain, binder_cache_telephony_server_prop)
|
||||
|
||||
# Binderfs logs contain sensitive information about other processes.
|
||||
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms;
|
||||
|
||||
# Allow access to fsverity keyring.
|
||||
allow domain kernel:key search;
|
||||
# Allow access to keys in the fsverity keyring that were installed at boot.
|
||||
|
|
|
|||
|
|
@ -128,6 +128,9 @@ allow dumpstate gsid_exec:file rx_file_perms;
|
|||
set_prop(dumpstate, ctl_gsid_prop)
|
||||
binder_call(dumpstate, gsid)
|
||||
|
||||
#Allow access to /dev/binderfs/binder_logs
|
||||
allow dumpstate binderfs_logs_transactions:file r_file_perms;
|
||||
|
||||
r_dir_file(dumpstate, ota_metadata_file)
|
||||
|
||||
# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
|
||||
|
|
|
|||
|
|
@ -305,6 +305,7 @@ genfscon binder /vndbinder u:object_r:vndbinder_device:s0
|
|||
genfscon binder /binder_logs u:object_r:binderfs_logs:s0
|
||||
genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
|
||||
genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
|
||||
genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0
|
||||
genfscon binder /features u:object_r:binderfs_features:s0
|
||||
|
||||
genfscon inotifyfs / u:object_r:inotify:s0
|
||||
|
|
|
|||
|
|
@ -1596,6 +1596,8 @@ set_prop(system_server, dalvik_dynamic_config_prop)
|
|||
# Allow system server to read binderfs
|
||||
allow system_server binderfs_logs:dir r_dir_perms;
|
||||
allow system_server binderfs_logs_stats:file r_file_perms;
|
||||
# For ANRs
|
||||
allow system_server binderfs_logs_transactions:file r_file_perms;
|
||||
|
||||
# Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
|
||||
set_prop(system_server, game_manager_config_prop)
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ type binderfs, fs_type;
|
|||
type binderfs_logs, fs_type;
|
||||
type binderfs_logs_proc, fs_type;
|
||||
type binderfs_logs_stats, fs_type;
|
||||
type binderfs_logs_transactions, fs_type;
|
||||
type binderfs_features, fs_type;
|
||||
# Security-sensitive proc nodes that should not be writable to most.
|
||||
type proc_security, fs_type, proc_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue