platform_system_sepolicy/private/incidentd.te
Hridya Valsaraju a0b504a484 Add neverallows for debugfs access
Android R launching devices and newer must not ship with debugfs
mounted. For Android S launching devices and newer, debugfs must only be
mounted in userdebug/eng builds by init(for boot time initializations)
and dumpstate(for grabbing debug information from debugfs using the
dumpstate HAL).

This patch adds neverallow statements to prevent othe processes
being provided access to debugfs when the flag PRODUCT_SET_DEBUGFS_RESTRICTIONS
is set to true.

Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Bug: 184381659
Change-Id: I63a22402cf6b1f57af7ace50000acff3f06a49be
2021-04-21 14:13:22 -07:00

210 lines
6.7 KiB
Text

typeattribute incidentd coredomain;
typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, system_file_type, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
# Allow incidentd to kill incident_helper when timeout
allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
# section id 1116, allow accessing statsd socket
unix_socket_send(incidentd, statsdw, statsd)
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
no_debugfs_restriction(`
allow incidentd debugfs_wakeup_sources:file r_file_perms;
')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
# section id 2005, allow reading ps dump in full
allow incidentd domain:process getattr;
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
userdebug_or_eng(`allow incidentd pstorefs:dir search');
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
# section id 3023, allow obtaining stats report
allow incidentd stats_service:service_manager find;
binder_call(incidentd, statsd)
# section id 3026, allow reading /data/misc/perfetto-traces.
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
allow incidentd perfetto_traces_data_file:file r_file_perms;
# section id 3052, allow accessing nfc_service
allow incidentd nfc_service:service_manager find;
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
# Enable incidentd to get stack traces.
binder_use(incidentd)
hwbinder_use(incidentd)
allow incidentd hwservicemanager:hwservice_manager { list };
get_prop(incidentd, hwservicemanager_prop)
allow incidentd hidl_manager_hwservice:hwservice_manager { find };
# Read files in /proc
allow incidentd {
proc_cmdline
proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
# Signal java processes to dump their stack and get the results
allow incidentd { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in incidentd/utils.c
allow incidentd {
# This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
sdcardd
statsd
surfaceflinger
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
hal_audio_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
}:process signal;
# Allow incidentd to make binder calls to any binder service
binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
# incidentd has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow incidentd *:process ptrace;
allow incidentd self:global_capability_class_set {
# Send signals to processes
kill
};
# Connect to tombstoned to intercept dumps.
unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { rx_file_perms };
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
dontaudit incidentd apex_module_data_file:dir r_dir_perms;
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Access /data/misc/logd
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
system_api_service
}:service_manager find;
# Only incidentd can publish the binder service
add_service(incidentd, incident_service)
# Allow pipes only from dumpstate and incident
allow incidentd { dumpstate incident }:fd use;
allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
# Read device serial number from system properties
# This is used to track reports from lab testing devices
userdebug_or_eng(`
get_prop(incidentd, serialno_prop)
')
# Read ro.boot.bootreason, persist.sys.boot.bootreason
# This is used to track reports from lab testing devices
userdebug_or_eng(`
get_prop(incidentd, bootloader_boot_reason_prop);
get_prop(incidentd, system_boot_reason_prop);
get_prop(incidentd, last_boot_reason_prop);
')
###
### neverallow rules
###
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
#
# write, execute, append are forbidden almost everywhere
neverallow { domain -incidentd -init -vold } incident_data_file:file {
w_file_perms
x_file_perms
create
rename
setattr
unlink
append
};
# read is also allowed by system_server, for when the file is handed to dropbox
neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
# limited access to the directory itself
neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;