Merge "Update transaction log permissions." into main am: 6f388111e0

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3092992 Change-Id: I3cf12a24653cd8ab3ba51fff8142148c0806758a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-22 19:33:18 +00:00 · 2024-05-22 19:33:18 +00:00 · 9f4c7bc53f
commit 9f4c7bc53f
parent 96da6272a8 6f388111e0
6 changed files with 22 additions and 3 deletions
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@ -9,6 +9,7 @@
    fs_bpf_lmkd_memevents_rb
    fs_bpf_lmkd_memevents_prog
    binderfs_logs_transactions
+    binderfs_logs_transaction_history
    proc_compaction_proactiveness
    proc_cgroups
  ))
--- a/private/domain.te
+++ b/private/domain.te
@ -505,7 +505,17 @@ get_prop(domain, binder_cache_system_server_prop)
 get_prop(domain, binder_cache_telephony_server_prop)

 # Binderfs logs contain sensitive information about other processes.
-neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms;
+neverallow {
+    domain
+    -init
+    -vendor_init
+    userdebug_or_eng(`-dumpstate')
+    userdebug_or_eng(`-system_server')
+} binderfs_logs_transactions:file no_rw_file_perms;
+
+# Binderfs transaction history is less sensitive than transactions, but it
+# still contains global information about the system.
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;

 # Allow access to fsverity keyring.
 allow domain kernel:key search;
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@ -129,7 +129,9 @@ set_prop(dumpstate, ctl_gsid_prop)
 binder_call(dumpstate, gsid)

 #Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs_transactions:file r_file_perms;
+userdebug_or_eng(`
+    allow dumpstate binderfs_logs_transactions:file r_file_perms;
+')

 r_dir_file(dumpstate, ota_metadata_file)

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -309,6 +309,8 @@ genfscon binder /binder_logs u:object_r:binderfs_logs:s0
 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
 genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
 genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0
+genfscon binder /binder_logs/transaction_log u:object_r:binderfs_logs_transaction_history:s0
+genfscon binder /binder_logs/failed_transaction_log u:object_r:binderfs_logs_transaction_history:s0
 genfscon binder /features u:object_r:binderfs_features:s0

 genfscon inotifyfs / u:object_r:inotify:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1620,8 +1620,11 @@ set_prop(system_server, dalvik_dynamic_config_prop)
 # Allow system server to read binderfs
 allow system_server binderfs_logs:dir r_dir_perms;
 allow system_server binderfs_logs_stats:file r_file_perms;
+
 # For ANRs
-allow system_server binderfs_logs_transactions:file r_file_perms;
+userdebug_or_eng(`
+    allow system_server binderfs_logs_transactions:file r_file_perms;
+')

 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)
--- a/public/file.te
+++ b/public/file.te
@ -11,6 +11,7 @@ type binderfs_logs_stats, fs_type;

 starting_at_board_api(202504, `
    type binderfs_logs_transactions, fs_type;
+    type binderfs_logs_transaction_history, fs_type;
 ')

 type binderfs_features, fs_type;