Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0b3f585a6320ff579c0e6e787d1e2ec8e2097c3b^! / .
commit0b3f585a6320ff579c0e6e787d1e2ec8e2097c3b[log] [tgz]
authorLi Li <dualli@google.com>Wed Oct 11 21:48:19 2023 -0700
committerLi Li <dualli@google.com>Fri Oct 20 13:22:24 2023 -0700
tree6adcd0bb520a207d5f33ec4576d84bab4e1a9354
parentc5509a8ea0d3657b67f6f5a60c649f3bfc1151cd [diff]
Allow system server read binderfs stats

When receiving the binder transaction errors reported by Android
applications, AMS needs a way to verify that information. Currently
Linux kernel doesn't provide such an API. Use binderfs instead until
kernel binder driver adds that functionality in the future.

Bug: 199336863
Test: send binder calls to frozen apps and check logcat
Test: take bugreport and check binder stats logs
Change-Id: I3bab3d4f35616b4a7b99d6ac6dc79fb86e7f28d4

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 2d1aea0..69902d8 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -20,4 +20,5 @@
     proc_memhealth
     virtual_device_native_service
     next_boot_prop
+    binderfs_logs_stats
   ))

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ec6ab1..17db46a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -392,6 +392,7 @@
 genfscon binder /vndbinder u:object_r:vndbinder_device:s0
 genfscon binder /binder_logs u:object_r:binderfs_logs:s0
 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
+genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
 genfscon binder /features u:object_r:binderfs_features:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0

diff --git a/private/system_server.te b/private/system_server.te
index f9627e3..0856bd6 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1539,3 +1539,7 @@
 
 # Allow system server to set dynamic ART properties.
 set_prop(system_server, dalvik_dynamic_config_prop)
+
+# Allow system server to read binderfs
+allow system_server binderfs_logs:dir r_dir_perms;
+allow system_server binderfs_logs_stats:file r_file_perms;

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3748605..c52ca15 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -379,6 +379,7 @@
 allow dumpstate binderfs_logs:dir r_dir_perms;
 allow dumpstate binderfs_logs:file r_file_perms;
 allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
 
 use_apex_info(dumpstate)
 

diff --git a/public/file.te b/public/file.te
index 72f511b..d06331c 100644
--- a/public/file.te
+++ b/public/file.te

@@ -7,6 +7,7 @@
 type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
+type binderfs_logs_stats, fs_type;
 type binderfs_features, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type, proc_type;