Commit graph

50 commits

Author SHA1 Message Date
Kangping Dong
e1ee768a97 Fix dumpstate denials related to ot_daemon
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I5dfa427e3c7ad99ec21392d2f219f14b66dd6256
2023-12-01 13:02:38 +08:00
Jan Sebechlebsky
de644175a9 Fix dumpstate denials related to virtual_camera
Bug: 313794601
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5b7c89388190fa927f8c762b2e65557f9d9870b
2023-11-30 10:57:16 +01:00
Changyeon Jo
152a2f1755 Allow dumpstate to make binder IPC to automotive display service
Bug: 280837170
Test: atest android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: I8239ba23bb60b95e7dd07a4c8a99167f1e08192b
2023-09-26 18:47:45 +00:00
David Drysdale
e1075f7c0c Don't emit audit logs for dumpstate->keystore
aosp/1696825 added the ability for dumpstate to signal Keystore on
debuggable builds, but this means that there will be an audit denial
message on non-debuggable builds.  Suppress this, in particular so that
the test mentioned below can pass on -user builds.

Bug: 269672964
Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenial
Change-Id: I68a41f6b94d615f80e4d1490ec4159436693dce2
2023-03-21 09:16:47 +00:00
Jeff Sharkey
ef5e5c82d4 Add dropbox entries as files to dumpstate ZIP.
Since each dropbox entry is already stored as a file on disk, include
them as-is into the dumpstate ZIP file.

The dumpsys output has already included truncated versions of all
dropbox entries for many years, and adding them as separate files
inside the dumpstate ZIP will speed up debugging and issue triage.

Bug: 267673062
Test: manual
Change-Id: I6e83dd01221f43bb2e2efc1a12368db30a545c71
2023-02-10 14:02:35 +00:00
Thiébaud Weksteen
3b1c843976 Grant SIGTERM and SIGKILL to dumpstate on incident
Bug: 238705597
Test: reduce timeout on incident; trigger bugreport; no denials
Change-Id: If70f9969165f4b8e4f1849d9dd6035503de87eb2
2023-01-04 12:57:11 +11:00
Mårten Kongstad
098e9094c3 Allow dumpstate to exec derive_sdk
derive_sdk is used to configure installed SDK extensions. It can also
print debug information about these.

Allow dumpstate to execute derive_sdk, to include the debug information
in bugreports.

Bug: 240656777
Test: adb bugreport /tmp/bugreport.zip && unzip -c /tmp/bugreport.zip bugreport*.txt | grep -i 'sdk extensions'
Change-Id: I0f502f9f94a376dff2e7eb821f7bf753de2d5482
2022-09-28 14:26:46 +02:00
Treehugger Robot
2c905846fa Merge "system_dlkm: allow dumpstate/bugreport to getattr" 2022-03-13 22:22:54 +00:00
Ramji Jiyani
3b59a537fc system_dlkm: allow dumpstate/bugreport to getattr
Bug: 223332748
Bug: 223755339
Test: atest SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: Ic0bd8f641cd47cc13df8ec9384e44a7e22e1431e
2022-03-11 21:21:57 +00:00
Chris Morin
1d88bf547e Allow dumpstate to create tmpfs files
dumpstate needs to be able to create tmpfs files for it's upcoming use
of memfd_create.

Test: Generate bugreport
Change-Id: I4ce19635d9b76929b05d85bdba89340e5d5399d1
2022-02-12 13:52:39 -08:00
Enrico Granata
645c390d1a Introduce ro.boot.hypervisor properties
In virtualized deployments of Android, it can be useful to have
access to a description of the hypervisor/host environment being
used to run the guest OS instance.

This is represented by means of a new system property
ro.boot.hypervisor.version, which is meant to convey a
free-form descriptor of the current host/hypervisor version

The property is meant to be provided to Android as androidboot.
by whatever host-specific means are used to supply other boot
properties to the target Android instance. Access could be later
opened to other vendor processes to set if needed for specific
setups where init is not a sufficiently-early stage for
host/guest communication. Such setups are not known at this time.

For a native Android incantation, the property defaults to
being missing

Other properties could later be added to this same namespace
and context if they turn out to be useful in specific scenarios.

Bug: 178749018
Test: build cuttlefish
Change-Id: Id721c14ef1958b525c2866a660dcae8fd176a79d
2021-10-04 11:14:03 -06:00
Hridya Valsaraju
f35c70b0dd Merge changes If26ba23d,Ibea38822
* changes:
  Revert "Revert "Exclude vendor_modprobe from debugfs neverallow restrictions""
  Revert "Revert "Add neverallows for debugfs access""
2021-05-05 17:31:35 +00:00
Hridya Valsaraju
23f9f51fcd Revert "Revert "Add neverallows for debugfs access""
This reverts commit e95e0ec0a5.

Now that b/186727553 is fixed, it should be safe to revert this revert.

Test: build
Bug: 184381659
Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:06:46 -07:00
Eric Biggers
f9519a6d3f Allow dumpstate to signal keystore to dump its stack
This is needed to debug hangs in keystore2.

Restricted to debuggable builds for now.

Bug: 186879912
Test: 'adb bugreport', then find the stack traces for keystore2 in the
      "VM TRACES JUST NOW" section of the main bugreport file.
Change-Id: I4434cab7e79cb4aae8bbb2e3a8abff02e0073c13
2021-05-04 21:09:35 -07:00
Hridya Valsaraju
e95e0ec0a5 Revert "Add neverallows for debugfs access"
Revert submission 1668411

Reason for revert: Suspect for b/186173384
Reverted Changes:
Iaa4fce9f0:Check that tracefs files are labelled as tracefs_t...
I743a81489:Exclude vendor_modprobe from debugfs neverallow re...
I63a22402c:Add neverallows for debugfs access
I289f2d256:Add a neverallow for debugfs mounting

Change-Id: I9b7d43ac7e2ead2d175b265e97c749570c95e075
2021-04-23 16:38:20 +00:00
Hridya Valsaraju
a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00
Hongming Jin
58f83415ea Add /data/misc/a11ytrace folder to store accessibility trace files.
Bug: 157601519
Test: adb shell cmd accessibility start-trace
      adb shell cmd accessibility stop-trace
Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-16 09:35:09 -08:00
Hridya Valsaraju
6217b6657d Allow dumpstate to read DMA-BUF sysfs stats
These permissions are required for dumpstate to read the DMA-BUF sysfs
stats present at /sys/kernel/dmabuf/buffers

Bug: 167709539
Test: adb shell am bug-report
Change-Id: I1c00843775452b7a7aa39b059e1d77d77aed1e9c
2021-02-02 13:28:18 -08:00
Primiano Tucci
2f99809c43 Allow dumpstate to snapshot traces and attach them to bug reports
Feature description: if a background trace is happening at the
time dumpstate is invoked, the tracing daemon will snapshot
the trace into a fixed path (/data/misc/perfetto-traces/bugreport/).
Dumpstate will attach the trace, if present, to the bugreport.
From a SELinux viewpoint this involves the following permissions:
- Allow dumpstate to exec+trans perfetto --save-for-bugreport
  (this will just send an IPC to traced, which will save the trace).
- Allow dumpstate to list, read and unlink the trace file.
- Create a dedicated label for bugreport traces, to prevent that
  dumpstate gets access to other traces not meant for bug reporting.

Note that this does NOT allow dumpstate to serialze arbitary traces.
Traces must be marked as "eligible for bugreport" upfront in the
trace config (which is not under dumpstate control), by
setting bugreport_score > 0.

Design doc: go/perfetto-betterbug

Bug: 170334305
Test: manual:
      1. start a perfetto trace with bugreport_score > 0
      2. adb shell dumpstate
      3. check that the bugreport zip contains the trace

Change-Id: I259c3ee9d5be08d6b22c796b32875d7de703a230
2021-01-12 14:06:24 +00:00
Alistair Delva
2bbf1cea1e Fix pid_max denials from dumpstate, incidentd
The dumpstate and incidentd contexts may call on to toybox tools like
"ps" and "top" which are now reading /proc/sys/kernel/pid_max.

Fixes denials like:

avc: denied { read } for comm="top" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

Bug: 171070708
Bug: 172703374
Bug: 174618269
Change-Id: Ief5662c6d484e966bd1ba7134eddfabb3f7ad0e4
2020-12-02 16:05:01 -08:00
Alex Hong
906c724514 Allow dumpstate to read proc_pid_max and access profcollectd via binder
Now running ps requires the read permission for /proc/sys/kernel/pid_max.
Also, grant the binder_call permission for recently added profcollectd.

Bug: 170070222
Change-Id: I5bc0f89a0538091de40647777ff6bf47f47dc066
2020-11-10 09:53:41 +00:00
Chong Zhang
81f5b9fd25 allow mediatranscoding service to be stack dumped
bug: 170975812
Change-Id: Id73aaf5343efa3c67470e51f63a663a1684e7bf6
2020-10-15 12:54:43 -07:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Yifan Hong
91709db313 dumpstate: reads ota_metadata_file
Bug: 137757435
Test: bugreport
Change-Id: I72a7d1e01e2f4a050220f77d62e5592a14925e17
2019-10-29 14:29:54 -07:00
David Anderson
14eaa6c3de Give dumpstate access to gsid.
Bug: 140204341
Test: dumpstate
Change-Id: If06e334ade2c4bab8ca6726747aa6d30f4fe4ad6
2019-10-02 15:18:01 -07:00
David Anderson
dc2a7873bd Give dumpstate access to run lpdump.
Bug: 140204341
Test: adb bugreport
Change-Id: I33e544dfced7589e995223cc88084f2849efe18b
2019-09-09 17:33:20 -07:00
Elliott Hughes
132b081ee3 Remove perfprofd references.
perfprofd was never finished, and has been removed.

Test: treehugger
Change-Id: I4fc8aa9b737360a66d89c5be39651284ee2d6ffd
2019-07-19 11:15:12 -07:00
Chalard Jean
a4c9f7b2c6 Let dumpstate get netd stack traces.
Test: manual
Bug: 128804277
Change-Id: Ibb3c0063f96f835edb13868b3e7a9fb9f6f94195
2019-04-05 17:33:56 +09:00
Joe Onorato
5536a08be3 Add incidentcompanion service.
It is a side channel for dumpstate and incidentd to communicate
status and get user authorization to share bugreports by calling
system_server.

Test: atest PermissionControllerTest / atest GooglePermissionControllerTest
Change-Id: I995a43a25f375e5c97dba1deb92ebe893ca8585d
2019-01-26 13:15:45 -08:00
Primiano Tucci
33e81a9e42 Revoke ftrace selinux access from dumpstate
Getting rid of the feature in aosp/874979.
See other CL and bug for context.

Bug: 122987614
Bug: 122987614
Test: run dumpstate before and after patch,
      file sizes are comparable,
      observed no tracing-related errors.
Change-Id: Ifcde8dcbb99ce53d226b50ddd3178adaaa4322bd
2019-01-17 16:09:01 +00:00
Joel Galenson
657470ac46 Allow dumpstate to call idmap over binder
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I5414141a1557d71e3ac0cf5bc89529685e9069c3
2018-12-05 12:32:09 -08:00
Mike Ma
de3a3e4156 Allow dumpstate to dump incidentd
An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
2018-12-04 15:42:56 -08:00
Joel Galenson
7c275a6b9d Allow dumpstate to call gpuservice over binder
This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I65dffda9806e0d627978ffdd392e3deb625149b7
2018-11-13 12:36:30 -08:00
Jeff Vander Stoep
424517721c Remove access to /proc/net/{tcp,udp}
Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-30 21:33:47 -07:00
Nick Kralevich
eef72d34b4 dumpstate: remove JIT and /data execute
Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
2018-09-06 13:28:34 -07:00
Joel Galenson
03ff9f91c1 Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb
2018-03-05 12:23:25 -08:00
Carmen Jackson
2c8ca45d2d Use a whitelisting strategy for tracefs.
This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-02-05 10:03:06 -08:00
Andreas Gampe
7468db67f6 Sepolicy: Allow stack dumps of statsd
Allow dumpstate & system server watchdog to dump statsd stacks.

Bug: 72461610
Test: m
Change-Id: I4c3472881da253f85d54b5e5b767b06e2618af9c
2018-01-25 09:31:19 -08:00
Yao Chen
b10ff337bf Allow dumpstate to call statsd. This is needed for bugreport.
Selinux violations while calling dump() on statsd by bugreport.

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
denied { use } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1
avc: denied { write } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1
avc: denied { getattr } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1

Test: manual
Change-Id: I46c5b119548378cc80c6e4498d00edad5959d188
2018-01-19 09:21:49 -08:00
Vishnu Nair
2d6942d397 Add window trace files SELinux policy rules
- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c
2017-11-17 17:17:36 +00:00
Steven Moreland
5b2ebd3b25 Revert "Add screencap domain."
This reverts commit 9216a6adc9.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
2017-09-05 10:08:09 -07:00
Steven Moreland
9216a6adc9 Add screencap domain.
Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
2017-08-14 11:46:08 -07:00
Jeff Vander Stoep
b5da252e45 domain_deprecated is dead
long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
2017-07-28 22:01:46 +00:00
Jeff Vander Stoep
7c34e83fcd Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)
2017-07-24 07:39:54 -07:00
Joel Scherpelz
5e901bbe89 Allow dumpstate to acquire xtables.lock
iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
(cherry picked from commit ca0979792f)
2017-04-25 16:22:11 +09:00
Alex Klyubin
f5446eb148 Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-24 07:54:00 -07:00
Keun-young Park
43e8fae079 allow dumpstate to collect ro.boottime.*
- necessary for analyzing early boot stage

bug: 35949319
Test: check captured bugreport for ro.boottime.* in SYSTEM PROPERTIES
Change-Id: I8826abd19ac00f169841b4a7ceeb68be3405d1b9
2017-03-03 13:13:25 -08:00
ynwang
e68d2d2c72 Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2017-01-07 01:12:51 +00:00
dcashman
2e00e6373f sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-12-06 08:56:02 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00