Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 29cd454..7f91651 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -151,3 +151,407 @@
# Allow dumpstate to execute derive_sdk in its own domain
domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:global_capability_class_set {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
+
+# Read dmesg
+allow dumpstate self:global_capability2_class_set syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ mediaswcodec
+ sdcardd
+ surfaceflinger
+ vold
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ evsmanagerd
+ hal_audio_server
+ hal_audiocontrol_server
+ hal_bluetooth_server
+ hal_broadcastradio_server
+ hal_camera_server
+ hal_codec2_server
+ hal_drm_server
+ hal_evs_server
+ hal_face_server
+ hal_fingerprint_server
+ hal_graphics_allocator_server
+ hal_graphics_composer_server
+ hal_health_server
+ hal_input_processor_server
+ hal_neuralnetworks_server
+ hal_omx_server
+ hal_power_server
+ hal_power_stats_server
+ hal_sensors_server
+ hal_thermal_server
+ hal_vehicle_server
+ hal_vr_server
+ system_suspend_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
+
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
+# Other random bits of data we want to collect
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
+
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ metadata_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain artd netd wificond })
+
+# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_audio)
+dump_hal(hal_audiocontrol)
+dump_hal(hal_authgraph)
+dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
+dump_hal(hal_broadcastradio)
+dump_hal(hal_camera)
+dump_hal(hal_codec2)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
+dump_hal(hal_dumpstate)
+dump_hal(hal_evs)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_graphics_composer)
+dump_hal(hal_health)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
+dump_hal(hal_sensors)
+dump_hal(hal_thermal)
+dump_hal(hal_vehicle)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
+
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:global_capability_class_set sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate {
+ proc_bootconfig
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net_type
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_ctrl
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
+# Access /data/misc/snapuserd_log
+allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
+allow dumpstate snapuserd_log_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+allow dumpstate misc_logd_file:dir r_dir_perms;
+allow dumpstate misc_logd_file:file r_file_perms;
+
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
+allow dumpstate {
+ service_manager_type
+ -apex_service
+ -dumpstate_service
+ -gatekeeper_service
+ -hal_service_type
+ -virtual_touchpad_service
+ -vold_service
+ -default_android_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ apex_service
+ dumpstate_service
+ gatekeeper_service
+ hal_service_type
+ virtual_touchpad_service
+ vold_service
+}:service_manager find;
+
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Read any system properties
+get_prop(dumpstate, property_type)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
+# For when dumpstate runs df
+dontaudit dumpstate {
+ mnt_vendor_file
+ mirror_data_file
+ mnt_user_file
+ mnt_product_file
+}:dir search;
+dontaudit dumpstate {
+ apex_mnt_dir
+ linkerconfig_file
+ mirror_data_file
+ mnt_user_file
+}:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
+
+# Allow dumpstate to talk to mediaswcodec over binder
+binder_call(dumpstate, mediaswcodec);
+
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
+allow dumpstate binderfs_logs_stats:file r_file_perms;
+
+use_apex_info(dumpstate)
+
+# Allow reading files under /data/system/shutdown-checkpoints/
+allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
+allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;