08d4c8fa6e
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP policy, but slightly modified so the set of types and attributes is a subset of real 31.0 prebuilt (sc-dev policy). Steps taken to make the fake prebuilt: 1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target aosp_arm64-eng. 2) diff both outputs to find out which types and attributes don't exist. 3) remove all relevant files and statements. As a result, the following types are removed. artd artd_exec artd_service power_stats_service transformer_service virtualizationservice virtualizationservice_data_file virtualizationservice_exec Bug: 189161483 Test: N/A, will do after adding 31.0 mapping files. Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
115 lines
3.5 KiB
Text
115 lines
3.5 KiB
Text
typeattribute dumpstate coredomain;
|
|
type dumpstate_tmpfs, file_type;
|
|
|
|
init_daemon_domain(dumpstate)
|
|
|
|
# Execute and transition to the vdc domain
|
|
domain_auto_trans(dumpstate, vdc_exec, vdc)
|
|
|
|
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
|
|
allow dumpstate system_file:file lock;
|
|
|
|
allow dumpstate storaged_exec:file rx_file_perms;
|
|
|
|
# /data/misc/a11ytrace for accessibility traces
|
|
userdebug_or_eng(`
|
|
allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
|
|
allow dumpstate accessibility_trace_data_file:file r_file_perms;
|
|
')
|
|
|
|
# /data/misc/wmtrace for wm traces
|
|
userdebug_or_eng(`
|
|
allow dumpstate wm_trace_data_file:dir r_dir_perms;
|
|
allow dumpstate wm_trace_data_file:file r_file_perms;
|
|
')
|
|
|
|
# Allow dumpstate to make binder calls to incidentd
|
|
binder_call(dumpstate, incidentd)
|
|
|
|
# Allow dumpstate to make binder calls to storaged service
|
|
binder_call(dumpstate, storaged)
|
|
|
|
# Allow dumpstate to make binder calls to statsd
|
|
binder_call(dumpstate, statsd)
|
|
|
|
# Allow dumpstate to talk to gpuservice over binder
|
|
binder_call(dumpstate, gpuservice);
|
|
|
|
# Allow dumpstate to talk to idmap over binder
|
|
binder_call(dumpstate, idmap);
|
|
|
|
# Allow dumpstate to talk to profcollectd over binder
|
|
userdebug_or_eng(`
|
|
binder_call(dumpstate, profcollectd)
|
|
')
|
|
|
|
# Collect metrics on boot time created by init
|
|
get_prop(dumpstate, boottime_prop)
|
|
|
|
# Signal native processes to dump their stack.
|
|
allow dumpstate {
|
|
mediatranscoding
|
|
statsd
|
|
netd
|
|
}:process signal;
|
|
|
|
userdebug_or_eng(`
|
|
allow dumpstate keystore:process signal;
|
|
')
|
|
|
|
# For collecting bugreports.
|
|
no_debugfs_restriction(`
|
|
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
|
|
')
|
|
|
|
allow dumpstate dev_type:blk_file getattr;
|
|
allow dumpstate webview_zygote:process signal;
|
|
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
|
|
dontaudit dumpstate update_engine:binder call;
|
|
|
|
# Read files in /proc
|
|
allow dumpstate {
|
|
proc_net_tcp_udp
|
|
proc_pid_max
|
|
}:file r_file_perms;
|
|
|
|
# For comminucating with the system process to do confirmation ui.
|
|
binder_call(dumpstate, incidentcompanion_service)
|
|
|
|
# Set properties.
|
|
# dumpstate_prop is used to share state with the Shell app.
|
|
set_prop(dumpstate, dumpstate_prop)
|
|
set_prop(dumpstate, exported_dumpstate_prop)
|
|
|
|
# dumpstate_options_prop is used to pass extra command-line args.
|
|
set_prop(dumpstate, dumpstate_options_prop)
|
|
|
|
# Allow dumpstate to kill vendor dumpstate service by init
|
|
set_prop(dumpstate, ctl_dumpstate_prop)
|
|
|
|
# For dumping dynamic partition information.
|
|
set_prop(dumpstate, lpdumpd_prop)
|
|
binder_call(dumpstate, lpdumpd)
|
|
|
|
# For dumping device-mapper and snapshot information.
|
|
allow dumpstate gsid_exec:file rx_file_perms;
|
|
set_prop(dumpstate, ctl_gsid_prop)
|
|
binder_call(dumpstate, gsid)
|
|
|
|
r_dir_file(dumpstate, ota_metadata_file)
|
|
|
|
# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
|
|
# is being recorded, the command above will serialize it into
|
|
# /data/misc/perfetto-traces/bugreport/*.pftrace .
|
|
domain_auto_trans(dumpstate, perfetto_exec, perfetto)
|
|
allow dumpstate perfetto:process signal;
|
|
allow dumpstate perfetto_traces_data_file:dir { search };
|
|
allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
|
|
allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
|
|
|
|
# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
|
|
# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
|
|
# zip file. These rules are to allow perfetto.te to inherit dumpstate's
|
|
# /dev/null.
|
|
allow perfetto dumpstate_tmpfs:file rw_file_perms;
|
|
allow perfetto dumpstate:fd use;
|