commit 248f0e069a0419f1f8dbb547cf2f2cfff78323dc
author Steven Moreland <smoreland@google.com> Fri May 17 22:30:40 2024 +0000
committer Steven Moreland <smoreland@google.com> Fri May 17 22:35:55 2024 +0000
tree cb2194fca8e578248f3ae05212c96add9359206d
parent 8b80dacadcb4d633ddd799df21aa4b8a06c7ab4e

Update transaction log permissions.

I locked down binderfs in Android V (this release still), but
part of it was opened up too much, so transactions restricted
to userdebug.

transaction_log and failed_transaction_log are not used in AOSP,
but they are requested by partners.

Bug: 316970771 for transactions
Bug: 336711420 for request to open up transaction history logs
Test: boot, bugreport, also:

:) adb shell ls -Z /dev/binderfs/binder_logs
u:object_r:binderfs_logs_transaction_history:s0 failed_transaction_log
u:object_r:binderfs_logs_proc:s0                proc
u:object_r:binderfs_logs:s0                     state
u:object_r:binderfs_logs_stats:s0               stats
u:object_r:binderfs_logs_transaction_history:s0 transaction_log
u:object_r:binderfs_logs_transactions:s0        transactions
:) adb shell cat /dev/binderfs/binder_logs/transaction_log
10058502: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 36:0 ret 0/0 l=0
10058503: call  from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 116:0 ret 0/0 l=0
10058504: reply from 6450:8668 to 6766:6766 context binder node 0 handle -1 size 12:0 ret 0/0 l=0
10058505: call  from 6766:6766 to 6450:0 context binder node 199747 handle 23 size 84:0 ret 0/0 l=0
...
:) adb shell cat /dev/binderfs/binder_logs/failed_transaction_log
26418: reply from 584:1568 to 0:0 context binder node 0 handle -1 size 20:0 ret 29189/0 l=3194
57265: async from 2978:4304 to 3039:0 context binder node 40111 handle 6 size 96:0 ret 29189/-3 l=3465
57269: call  from 4437:4613 to 670:0 context binder node 57183 handle 44 size 116:0 ret 29189/-3 l=3465
57288: async from 4252:4450 to 3039:0 context binder node 34895 handle 1 size 92:0 ret 29189/-3 l=3465
...

Change-Id: I73e570dee8e59e76acaf0def615701e0e85e207f

private/compat/202404/202404.ignore.cil

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index e65136e..2a11a55 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -9,6 +9,7 @@
     fs_bpf_lmkd_memevents_rb
     fs_bpf_lmkd_memevents_prog
     binderfs_logs_transactions
+    binderfs_logs_transaction_history
     proc_compaction_proactiveness
     proc_cgroups
   ))

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index dfcc740..8257c04 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -505,7 +505,17 @@
 get_prop(domain, binder_cache_telephony_server_prop)
 
 # Binderfs logs contain sensitive information about other processes.
-neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transactions:file no_rw_file_perms;
+neverallow {
+    domain
+    -init
+    -vendor_init
+    userdebug_or_eng(`-dumpstate')
+    userdebug_or_eng(`-system_server')
+} binderfs_logs_transactions:file no_rw_file_perms;
+
+# Binderfs transaction history is less sensitive than transactions, but it
+# still contains global information about the system.
+neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
 
 # Allow access to fsverity keyring.
 allow domain kernel:key search;

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index bccbafd..53a6473 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -129,7 +129,9 @@
 binder_call(dumpstate, gsid)
 
 #Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs_transactions:file r_file_perms;
+userdebug_or_eng(`
+    allow dumpstate binderfs_logs_transactions:file r_file_perms;
+')
 
 r_dir_file(dumpstate, ota_metadata_file)
 

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 23d6218..ac59c9a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -309,6 +309,8 @@
 genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
 genfscon binder /binder_logs/stats u:object_r:binderfs_logs_stats:s0
 genfscon binder /binder_logs/transactions u:object_r:binderfs_logs_transactions:s0
+genfscon binder /binder_logs/transaction_log u:object_r:binderfs_logs_transaction_history:s0
+genfscon binder /binder_logs/failed_transaction_log u:object_r:binderfs_logs_transaction_history:s0
 genfscon binder /features u:object_r:binderfs_features:s0
 
 genfscon inotifyfs / u:object_r:inotify:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 1ddb48a..c3fc8ce 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1618,8 +1618,11 @@
 # Allow system server to read binderfs
 allow system_server binderfs_logs:dir r_dir_perms;
 allow system_server binderfs_logs_stats:file r_file_perms;
+
 # For ANRs
-allow system_server binderfs_logs_transactions:file r_file_perms;
+userdebug_or_eng(`
+    allow system_server binderfs_logs_transactions:file r_file_perms;
+')
 
 # Allow GameManagerService to read and write persist.graphics.game_default_frame_rate.enabled
 set_prop(system_server, game_manager_config_prop)

public/file.te

diff --git a/public/file.te b/public/file.te
index 34347cb..9f75f05 100644
--- a/public/file.te
+++ b/public/file.te
@@ -11,6 +11,7 @@
 
 starting_at_board_api(202504, `
     type binderfs_logs_transactions, fs_type;
+    type binderfs_logs_transaction_history, fs_type;
 ')
 
 type binderfs_features, fs_type;