commit 7dcac6c48339af1c1f36a35646ebae08ee14c7bd
author Mohamad Mahmoud <mohamadmahmoud@google.com> Mon Oct 28 12:50:09 2024 +0000
committer Mohamad Mahmoud <mohamadmahmoud@google.com> Mon Jan 27 18:13:23 2025 +0000
tree 922c7758c52e245cfff98842b8863c51a9d0673e
parent 37f058030c803e07af6e4dd379ef364eafbf09f7

Add support for pbtombstone executable

Added labeling and permissions for /system/bin/pbtombstone across various files, namely: plat_file_contexts_test, 202504.ignore.cil, and system_server.te. Updated file contexts and defined pbtombstone_exec as a system executable to ensure compatibility and proper execution.

Bug: 323857385
Flag: EXEMPT permissions update
Test: m && manual tests and permission check

Change-Id: I0d20366bb452f98d339dd413e074d5bd94b9549e

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 2e72866..ac87801 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -339,6 +339,7 @@
 /system/bin/bootstat                                              bootstat_exec
 /system/bin/app_process32                                         zygote_exec
 /system/bin/app_process64                                         zygote_exec
+/system/bin/pbtombstone                                           pbtombstone_exec
 /system/bin/servicemanager                                        servicemanager_exec
 /system/bin/surfaceflinger                                        surfaceflinger_exec
 /system/bin/gpuservice                                            gpuservice_exec

private/compat/202504/202504.ignore.cil

diff --git a/private/compat/202504/202504.ignore.cil b/private/compat/202504/202504.ignore.cil
index 100ba40..04d9387 100644
--- a/private/compat/202504/202504.ignore.cil
+++ b/private/compat/202504/202504.ignore.cil
@@ -5,5 +5,5 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
-    
+    pbtombstone_exec
   ))

private/file.te

diff --git a/private/file.te b/private/file.te
index 3a66143..6bdcc39 100644
--- a/private/file.te
+++ b/private/file.te
@@ -192,6 +192,9 @@
 # /sys/firmware/acpi/tables
 type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
 
+# Type for /system/bin/pbtombstone.
+type pbtombstone_exec, system_file_type, exec_type, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 7ef3226..ceebb07 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -353,6 +353,7 @@
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
+/system/bin/pbtombstone       u:object_r:pbtombstone_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap2(d)?              u:object_r:idmap_exec:s0
 /system/bin/update_engine           u:object_r:update_engine_exec:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 57536de..be486ac 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1168,6 +1168,9 @@
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
+# Allow invoking pbtombstone
+allow system_server pbtombstone_exec:file rx_file_perms;
+
 # Allow system process to setup fs-verity
 allowxperm system_server { apk_data_file apk_tmp_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
 
@@ -1360,6 +1363,7 @@
   file_type
   -toolbox_exec
   -logcat_exec
+  -pbtombstone_exec
   with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
 }:file execute_no_trans;