platform_system_sepolicy/public/dumpstate.te
Alan Stokes 7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00

370 lines
10 KiB
Text

# dumpstate
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, system_file_type, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Allow dumpstate to append into privileged apps private files.
allow dumpstate privapp_data_file:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
allow dumpstate { appdomain system_server zygote }:process signal;
# Signal native processes to dump their stack.
allow dumpstate {
# This list comes from native_processes_to_dump in dumputils/dump_utils.c
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
mediametrics
mediaserver
mediaswcodec
sdcardd
surfaceflinger
vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
hal_power_stats_server
hal_sensors_server
hal_thermal_server
hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# Access to /sys
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
sysfs_zram
}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
allow dumpstate debugfs_mmc:file r_file_perms;
# df for
allow dumpstate {
block_device
cache_file
metadata_file
rootfs
selinuxfs
storage_file
tmpfs
}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_identity)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
# For Nfc
allow dumpstate nfc_logs_data_file:dir r_dir_perms;
allow dumpstate nfc_logs_data_file:file r_file_perms;
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
# Read files in /proc
allow dumpstate {
proc_buddyinfo
proc_cmdline
proc_meminfo
proc_modules
proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
proc_qtaguid_stat
proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
}:file r_file_perms;
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
#Access /data/misc/update_engine_log
allow dumpstate update_engine_log_data_file:dir r_dir_perms;
allow dumpstate update_engine_log_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
# Access /data/misc/logd
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
# Access /data/misc/prereboot
allow dumpstate prereboot_data_file:dir r_dir_perms;
allow dumpstate prereboot_data_file:file r_file_perms;
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
allow dumpstate {
service_manager_type
-apex_service
-dumpstate_service
-gatekeeper_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
apex_service
dumpstate_service
gatekeeper_service
virtual_touchpad_service
vold_service
vr_hwc_service
}:service_manager find;
# Most of these are neverallowed.
dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
# Read any system properties
get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file r_file_perms;
allow dumpstate proc_zoneinfo:file r_file_perms;
# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
allow dumpstate proc_pressure_cpu:file r_file_perms;
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;
# Allow dumpstate to run ps
allow dumpstate proc_pid_max:file r_file_perms;
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
# Allow dumpstate to talk to iorapd over binder.
binder_call(dumpstate, iorapd)
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
# Allow dumpstate to read linkerconfig directory
allow dumpstate linkerconfig_file:dir { read open };
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
# Allow dumpstate to talk to these stable AIDL services over binder
binder_call(dumpstate, hal_rebootescrow_server)
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate apex_info_file:file getattr;
###
### neverallow rules
###
# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
domain
-system_server
-shell
-traceur_app
-dumpstate
} dumpstate_service:service_manager find;