tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Selinux permissions for incidentd project

Browse source 
Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3
This commit is contained in:
Yi Jin 2018-01-22 14:00:46 -08:00
parent 0a2f862715
commit bc24ba7283
10 changed files with 52 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
private/compat/26.0/26.0.cil
View file

@ -123,7 +123,10 @@
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file)) (typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop)) (typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service)) (typeattributeset dbinfo_service_26_0 (dbinfo_service))
(typeattributeset debugfs_26_0 (debugfs)) (typeattributeset debugfs_26_0
( debugfs
debugfs_wakeup_sources
))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc)) (typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker)) (typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing)) (typeattributeset debugfs_tracing_26_0 (debugfs_tracing))

2
private/compat/26.0/26.0.ignore.cil
View file

@ -42,6 +42,8 @@
hal_tetheroffload_hwservice hal_tetheroffload_hwservice
hal_usb_gadget_hwservice hal_usb_gadget_hwservice
hal_wifi_offload_hwservice hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
kmsg_debug_device kmsg_debug_device
last_boot_reason_prop last_boot_reason_prop
mediaprovider_tmpfs mediaprovider_tmpfs

1
private/file_contexts
View file

@ -207,6 +207,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0 /system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0 /system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0 /system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0 /system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0 /system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0 /system/bin/netd u:object_r:netd_exec:s0

1
private/genfs_contexts
View file

@ -128,6 +128,7 @@ genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tr
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0 genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0 genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0 genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0 genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0

2
private/incident.te
View file

@ -23,3 +23,5 @@ allow incident incident_service:service_manager find;
binder_call(incident, incidentd) binder_call(incident, incidentd)
allow incident incidentd:fifo_file write; allow incident incidentd:fifo_file write;
# only allow incident being called by shell
neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };

13
private/incident_helper.te Normal file
View file

@ -0,0 +1,13 @@
typeattribute incident_helper coredomain;
type incident_helper_exec, exec_type, file_type;
# switch to incident_helper domain for incident_helper command
domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd }:fd use;
allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };

33
private/incidentd.te
View file

@ -1,21 +1,16 @@
typeattribute incidentd coredomain; typeattribute incidentd coredomain;
typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd) init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type; type incidentd_exec, exec_type, file_type;
binder_use(incidentd) binder_use(incidentd)
wakelock_use(incidentd) wakelock_use(incidentd)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
# Allow incidentd to scan through /proc/pid for all processes # Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain) r_dir_file(incidentd, domain)
allow incidentd self:global_capability_class_set { # Allow incidentd to kill incident_helper when timeout
# Send signals to processes allow incidentd incident_helper:process sigkill;
kill
};
# Allow executing files on system, such as: # Allow executing files on system, such as:
# /system/bin/toolbox # /system/bin/toolbox
@ -24,6 +19,22 @@ allow incidentd self:global_capability_class_set {
allow incidentd system_file:file execute_no_trans; allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms; allow incidentd toolbox_exec:file rx_file_perms;
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
allow incidentd debugfs_wakeup_sources:file r_file_perms;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
# Create and write into /data/misc/incidents # Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms; allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms; allow incidentd incident_data_file:file create_file_perms;
@ -33,7 +44,7 @@ allow incidentd incident_data_file:file create_file_perms;
# Signal java processes to dump their stack and get the results # Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal; # TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
# TODO allow incidentd anr_data_file:dir rw_dir_perms; # TODO allow incidentd anr_data_file:dir create_dir_perms;
# TODO allow incidentd anr_data_file:file create_file_perms; # TODO allow incidentd anr_data_file:file create_file_perms;
# Signal native processes to dump their stack. # Signal native processes to dump their stack.
@ -52,7 +63,7 @@ allow incidentd {
}:process signal; }:process signal;
# Allow incidentd to make binder calls to any binder service # Allow incidentd to make binder calls to any binder service
binder_call(incidentd, binderservicedomain) binder_call(incidentd, system_server)
binder_call(incidentd, appdomain) binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes # Reading /proc/PID/maps of other processes
@ -62,7 +73,7 @@ binder_call(incidentd, appdomain)
allow incidentd shell_exec:file rx_file_perms; allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?) # logd access - work to be done is a PII safe log (possibly an event log?)
# TODO read_logd(incidentd) userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd) # TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services. # Allow incidentd to find these standard groups of services.

1
private/system_server.te
View file

@ -135,6 +135,7 @@ allow system_server proc_sysrq:file rw_file_perms;
# Read /sys/kernel/debug/wakeup_sources. # Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms; allow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets # The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl; allow system_server self:packet_socket create_socket_perms_no_ioctl;

1
public/file.te
View file

@ -112,6 +112,7 @@ type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject; type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject; type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type; type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type; type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type; type pstorefs, fs_type;

5
public/incident_helper.te Normal file
View file

@ -0,0 +1,5 @@
# The incident_helper is called by incidentd and
# can only read/write data from/to incidentd
# incident_helper
type incident_helper, domain;