commit 87792b83965eae4311a9fdd7a1e27ddf45973647
author Oleg Matcovschi <omatcovschi@google.com> Fri Mar 26 13:41:07 2021 -0700
committer Oleg Matcovschi <omatcovschi@google.com> Mon Mar 29 09:35:21 2021 -0700
tree 7e1fc1ed6b243e33582e040b73a0a31c6f9e83cb
parent cd48eff87e881a50d82bd471948c9a1c2412451b

pixel-selinux: add sscoredump policies

Bug: 180760068
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: I200fc53e484dded91f09b941c7b3a7b6963b0afb

sscoredump/device.te

diff --git a/sscoredump/device.te b/sscoredump/device.te
new file mode 100644
index 0000000..7614dd4
--- /dev/null
+++ b/sscoredump/device.te
@@ -0,0 +1 @@
+type sscoredump_device, dev_type;

sscoredump/file.te

diff --git a/sscoredump/file.te b/sscoredump/file.te
new file mode 100644
index 0000000..337f524
--- /dev/null
+++ b/sscoredump/file.te
@@ -0,0 +1,7 @@
+# files
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# sysfs
+type sysfs_sscoredump_level, sysfs_type, fs_type;                  # sscoredump level
+type sysfs_sscoredump_subsystem_report_count, sysfs_type, fs_type; # subsystem report_count: per device explicit path

sscoredump/file_contexts

diff --git a/sscoredump/file_contexts b/sscoredump/file_contexts
new file mode 100644
index 0000000..b375ffa
--- /dev/null
+++ b/sscoredump/file_contexts
@@ -0,0 +1,4 @@
+/vendor/bin/sscoredump                 u:object_r:sscoredump_exec:s0
+/data/vendor/ssrdump(/.*)?             u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)?    u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.*                           u:object_r:sscoredump_device:s0

sscoredump/genfs_contexts

diff --git a/sscoredump/genfs_contexts b/sscoredump/genfs_contexts
new file mode 100644
index 0000000..5a6e494
--- /dev/null
+++ b/sscoredump/genfs_contexts
@@ -0,0 +1 @@
+genfscon sysfs /class/sscoredump/level u:object_r:sysfs_sscoredump_level:s0

sscoredump/sscoredump.te

diff --git a/sscoredump/sscoredump.te b/sscoredump/sscoredump.te
new file mode 100644
index 0000000..70d6e1b
--- /dev/null
+++ b/sscoredump/sscoredump.te
@@ -0,0 +1,18 @@
+type sscoredump, domain;
+type sscoredump_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(sscoredump)
+
+set_prop(sscoredump, vendor_ssrdump_prop)
+
+allow sscoredump device:dir r_dir_perms;
+allow sscoredump sscoredump_device:chr_file rw_file_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+allow sscoredump sysfs_sscoredump_subsystem_report_count:file r_file_perms;
+
+userdebug_or_eng(`
+  allow sscoredump sysfs_sscoredump_level:file rw_file_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
+')