8f75f76fbd
odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
202 lines
6.5 KiB
Text
202 lines
6.5 KiB
Text
typeattribute incidentd coredomain;
|
|
typeattribute incidentd mlstrustedsubject;
|
|
|
|
init_daemon_domain(incidentd)
|
|
type incidentd_exec, system_file_type, exec_type, file_type;
|
|
binder_use(incidentd)
|
|
wakelock_use(incidentd)
|
|
|
|
# Allow incidentd to scan through /proc/pid for all processes
|
|
r_dir_file(incidentd, domain)
|
|
|
|
# Allow incidentd to kill incident_helper when timeout
|
|
allow incidentd incident_helper:process sigkill;
|
|
|
|
# Allow executing files on system, such as:
|
|
# /system/bin/toolbox
|
|
# /system/bin/logcat
|
|
# /system/bin/dumpsys
|
|
allow incidentd system_file:file execute_no_trans;
|
|
allow incidentd toolbox_exec:file rx_file_perms;
|
|
|
|
# section id 1002, allow reading kernel version /proc/version
|
|
allow incidentd proc_version:file r_file_perms;
|
|
|
|
# section id 2001, allow reading /proc/pagetypeinfo
|
|
allow incidentd proc_pagetypeinfo:file r_file_perms;
|
|
|
|
# section id 2002, allow reading /d/wakeup_sources
|
|
allow incidentd debugfs_wakeup_sources:file r_file_perms;
|
|
|
|
# section id 2003, allow executing top
|
|
allow incidentd proc_meminfo:file { open read };
|
|
|
|
# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
|
|
allow incidentd sysfs_devices_system_cpu:file r_file_perms;
|
|
|
|
# section id 2005, allow reading ps dump in full
|
|
allow incidentd domain:process getattr;
|
|
|
|
# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
|
|
allow incidentd sysfs_batteryinfo:dir { search };
|
|
allow incidentd sysfs_batteryinfo:file r_file_perms;
|
|
|
|
# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
|
|
userdebug_or_eng(`allow incidentd pstorefs:dir search');
|
|
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
|
|
|
|
# section id 3023, allow obtaining stats report
|
|
allow incidentd stats_service:service_manager find;
|
|
binder_call(incidentd, statsd)
|
|
|
|
# section id 3026, allow reading /data/misc/perfetto-traces.
|
|
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
|
|
allow incidentd perfetto_traces_data_file:file r_file_perms;
|
|
|
|
# Create and write into /data/misc/incidents
|
|
allow incidentd incident_data_file:dir rw_dir_perms;
|
|
allow incidentd incident_data_file:file create_file_perms;
|
|
|
|
# Enable incidentd to get stack traces.
|
|
binder_use(incidentd)
|
|
hwbinder_use(incidentd)
|
|
allow incidentd hwservicemanager:hwservice_manager { list };
|
|
get_prop(incidentd, hwservicemanager_prop)
|
|
allow incidentd hidl_manager_hwservice:hwservice_manager { find };
|
|
|
|
# Read files in /proc
|
|
allow incidentd {
|
|
proc_cmdline
|
|
proc_pid_max
|
|
proc_pipe_conf
|
|
proc_stat
|
|
}:file r_file_perms;
|
|
|
|
# Signal java processes to dump their stack and get the results
|
|
allow incidentd { appdomain ephemeral_app system_server }:process signal;
|
|
|
|
# Signal native processes to dump their stack.
|
|
# This list comes from native_processes_to_dump in incidentd/utils.c
|
|
allow incidentd {
|
|
# This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
|
|
audioserver
|
|
cameraserver
|
|
drmserver
|
|
inputflinger
|
|
mediadrmserver
|
|
mediaextractor
|
|
mediametrics
|
|
mediaserver
|
|
sdcardd
|
|
statsd
|
|
surfaceflinger
|
|
|
|
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
|
|
hal_audio_server
|
|
hal_bluetooth_server
|
|
hal_camera_server
|
|
hal_codec2_server
|
|
hal_face_server
|
|
hal_graphics_allocator_server
|
|
hal_graphics_composer_server
|
|
hal_health_server
|
|
hal_omx_server
|
|
hal_sensors_server
|
|
hal_vr_server
|
|
}:process signal;
|
|
|
|
# Allow incidentd to make binder calls to any binder service
|
|
binder_call(incidentd, system_server)
|
|
binder_call(incidentd, appdomain)
|
|
|
|
# Reading /proc/PID/maps of other processes
|
|
userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
|
|
# incidentd has capability sys_ptrace, but should only use that capability for
|
|
# accessing sensitive /proc/PID files, never for using ptrace attach.
|
|
neverallow incidentd *:process ptrace;
|
|
|
|
allow incidentd self:global_capability_class_set {
|
|
# Send signals to processes
|
|
kill
|
|
};
|
|
|
|
# Connect to tombstoned to intercept dumps.
|
|
unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
|
|
|
|
# Run a shell.
|
|
allow incidentd shell_exec:file rx_file_perms;
|
|
|
|
# For running am, incident-helper-cmd and similar framework commands.
|
|
# Run /system/bin/app_process.
|
|
allow incidentd zygote_exec:file { rx_file_perms };
|
|
# Access the runtime feature flag properties.
|
|
get_prop(incidentd, device_config_runtime_native_prop)
|
|
get_prop(incidentd, device_config_runtime_native_boot_prop)
|
|
# ART locks profile files.
|
|
allow incidentd system_file:file lock;
|
|
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
|
|
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
|
|
dontaudit incidentd apex_module_data_file:dir r_dir_perms;
|
|
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
|
|
dontaudit incidentd tmpfs:file rwx_file_perms;
|
|
|
|
# logd access - work to be done is a PII safe log (possibly an event log?)
|
|
userdebug_or_eng(`read_logd(incidentd)')
|
|
# TODO control_logd(incidentd)
|
|
|
|
# Access /data/misc/logd
|
|
r_dir_file(incidentd, misc_logd_file)
|
|
|
|
# Allow incidentd to find these standard groups of services.
|
|
# Others can be allowlisted individually.
|
|
allow incidentd {
|
|
system_server_service
|
|
app_api_service
|
|
system_api_service
|
|
}:service_manager find;
|
|
|
|
# Only incidentd can publish the binder service
|
|
add_service(incidentd, incident_service)
|
|
|
|
# Allow pipes only from dumpstate and incident
|
|
allow incidentd { dumpstate incident }:fd use;
|
|
allow incidentd { dumpstate incident }:fifo_file write;
|
|
|
|
# Allow incident to call back to incident with status updates.
|
|
binder_call(incidentd, incident)
|
|
|
|
# Read device serial number from system properties
|
|
# This is used to track reports from lab testing devices
|
|
userdebug_or_eng(`
|
|
get_prop(incidentd, serialno_prop)
|
|
')
|
|
|
|
# Read ro.boot.bootreason, persist.sys.boot.bootreason
|
|
# This is used to track reports from lab testing devices
|
|
userdebug_or_eng(`
|
|
get_prop(incidentd, bootloader_boot_reason_prop);
|
|
get_prop(incidentd, system_boot_reason_prop);
|
|
get_prop(incidentd, last_boot_reason_prop);
|
|
')
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
# only incidentd and the other root services in limited circumstances
|
|
# can get to the files in /data/misc/incidents
|
|
#
|
|
# write, execute, append are forbidden almost everywhere
|
|
neverallow { domain -incidentd -init -vold } incident_data_file:file {
|
|
w_file_perms
|
|
x_file_perms
|
|
create
|
|
rename
|
|
setattr
|
|
unlink
|
|
append
|
|
};
|
|
# read is also allowed by system_server, for when the file is handed to dropbox
|
|
neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
|
|
# limited access to the directory itself
|
|
neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
|
|
|