dumpstate: transition into vdc domain

dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.

Addresses the following denial:

  <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0

Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
This commit is contained in:
Nick Kralevich 2014-06-25 12:30:11 -07:00
parent 8c6552acfb
commit c0d14767e6
2 changed files with 15 additions and 2 deletions

View file

@ -49,8 +49,8 @@ allow dumpstate { appdomain system_server }:process signal;
# This list comes from native_processes_to_dump in dumpstate/utils.c # This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
# The vdc command needs to talk to the vold socket. # Execute and transition to the vdc domain
unix_socket_connect(dumpstate, vold, vold) domain_auto_trans(dumpstate, vdc_exec, vdc)
# Vibrate the device after we're done collecting the bugreport # Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable # /sys/class/timed_output/vibrator/enable

13
vdc.te
View file

@ -1,6 +1,9 @@
# vdc spawned from init for the following services: # vdc spawned from init for the following services:
# defaultcrypto # defaultcrypto
# encrypt # encrypt
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
type vdc, domain; type vdc, domain;
type vdc_exec, exec_type, file_type; type vdc_exec, exec_type, file_type;
@ -8,3 +11,13 @@ type vdc_exec, exec_type, file_type;
init_daemon_domain(vdc) init_daemon_domain(vdc)
unix_socket_connect(vdc, vold, vold) unix_socket_connect(vdc, vold, vold)
# vdc sends information back to dumpstate when "adb bugreport" is used
allow vdc dumpstate:fd use;
allow vdc dumpstate:unix_stream_socket { read write getattr };
# vdc information is written to shell owned bugreport files
allow vdc shell_data_file:file { write getattr };
# Why?
allow vdc dumpstate:unix_dgram_socket { read write };