From c0d14767e68f90138c8b017bf47e8b3e4fd1c01e Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 25 Jun 2014 12:30:11 -0700 Subject: [PATCH] dumpstate: transition into vdc domain dumpstate uses vdc to collect asec lists and do a vold dump. Force a transition into the vdc domain when this occurs. Addresses the following denial: <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0 Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe --- dumpstate.te | 4 ++-- vdc.te | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/dumpstate.te b/dumpstate.te index e4d6dc9e6..222122247 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -49,8 +49,8 @@ allow dumpstate { appdomain system_server }:process signal; # This list comes from native_processes_to_dump in dumpstate/utils.c allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; -# The vdc command needs to talk to the vold socket. -unix_socket_connect(dumpstate, vold, vold) +# Execute and transition to the vdc domain +domain_auto_trans(dumpstate, vdc_exec, vdc) # Vibrate the device after we're done collecting the bugreport # /sys/class/timed_output/vibrator/enable diff --git a/vdc.te b/vdc.te index a5ca2f29c..8b6a93a49 100644 --- a/vdc.te +++ b/vdc.te @@ -1,6 +1,9 @@ # vdc spawned from init for the following services: # defaultcrypto # encrypt +# +# We also transition into this domain from dumpstate, when +# collecting bug reports. type vdc, domain; type vdc_exec, exec_type, file_type; @@ -8,3 +11,13 @@ type vdc_exec, exec_type, file_type; init_daemon_domain(vdc) unix_socket_connect(vdc, vold, vold) + +# vdc sends information back to dumpstate when "adb bugreport" is used +allow vdc dumpstate:fd use; +allow vdc dumpstate:unix_stream_socket { read write getattr }; + +# vdc information is written to shell owned bugreport files +allow vdc shell_data_file:file { write getattr }; + +# Why? +allow vdc dumpstate:unix_dgram_socket { read write };