commit 8afcd7b19c66d28fdc48385698f984cb38493ac6
author Rob Barnes <robbarnes@google.com> Wed Sep 18 00:59:51 2024 +0000
committer Rob Barnes <robbarnes@google.com> Tue Oct 08 15:50:13 2024 +0000
tree d027a63a0216f1ef33c8afcad9457f9ce5c57c98
parent 4c36b7052a863b32c7c9b4db89030592c61482ea

Add sepolicy for ACPI bert_collector

bert_collector is a deamon that runs at boot, collects ACPI BERT
reports and sends them to DropBox.

Adds bert_collector.te policy for bert_collector deamon permissions.

Adds sysfs_firmware_acpi_tables context for /sys/firmware/acpi/tables.

Adds property acpi.bert_collector.start for starting bert_collector.

Bug: 357626966
Test: m && atest bert_collector_test

Change-Id: I4c583f3a9121474235ea8c78f65b74df86936a0b

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index c791614..7bda60c 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -486,6 +486,7 @@
 /system/bin/android.automotive.evs.manager@1.99                   evsmanagerd_exec
 /system/bin/uprobestats                                           uprobestats_exec
 /system/bin/trace_redactor                                        trace_redactor_exec
+/system/bin/bert_collector                                        bert_collector_exec
 
 /vendor                                                           vendor_file
 /vendor/does_not_exist                                            vendor_file

private/bert_collector.te

diff --git a/private/bert_collector.te b/private/bert_collector.te
new file mode 100644
index 0000000..b11bd76
--- /dev/null
+++ b/private/bert_collector.te
@@ -0,0 +1,12 @@
+type bert_collector, domain, coredomain;
+type bert_collector_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(bert_collector)
+
+r_dir_file(bert_collector, sysfs_firmware_acpi_tables)
+
+binder_use(bert_collector)
+binder_call(bert_collector, system_server)
+
+allow bert_collector dropbox_service:service_manager find;
+allow bert_collector proc_version:file r_file_perms;

private/compat/202404/202404.ignore.cil

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 787531a..9ac4963 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -20,4 +20,5 @@
     virtual_face
     virtual_face_exec
     advanced_protection_service
+    sysfs_firmware_acpi_tables
   ))

private/file.te

diff --git a/private/file.te b/private/file.te
index 70b8523..662d5cc 100644
--- a/private/file.te
+++ b/private/file.te
@@ -182,6 +182,9 @@
 # Type for /sys/kernel/mm/pgsize_migration/enabled
 type sysfs_pgsize_migration, fs_type, sysfs_type;
 
+# /sys/firmware/acpi/tables
+type sysfs_firmware_acpi_tables, fs_type, sysfs_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 24f4a72..496e954 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -408,6 +408,7 @@
 /system/bin/evsmanagerd          u:object_r:evsmanagerd_exec:s0
 /system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
 /system/bin/uprobestats           u:object_r:uprobestats_exec:s0
+/system/bin/bert_collector        u:object_r:bert_collector_exec:s0
 
 #############################
 # Vendor files

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index b8b7247..e300d78 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -149,6 +149,7 @@
 genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
 genfscon sysfs /devices/virtual/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/acpi/tables              u:object_r:sysfs_firmware_acpi_tables:s0
 genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0

private/property.te

diff --git a/private/property.te b/private/property.te
index fb5251f..40beca5 100644
--- a/private/property.te
+++ b/private/property.te
@@ -19,6 +19,7 @@
 system_internal_prop(device_config_swcodec_native_prop)
 system_internal_prop(device_config_tethering_u_or_later_native_prop)
 system_internal_prop(dmesgd_start_prop)
+system_internal_prop(bert_collector_start_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index f7e81fd..24462cb 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -870,6 +870,8 @@
 
 dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
 
+acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
+
 odsign.key.done u:object_r:odsign_prop:s0 exact bool
 odsign.verification.done u:object_r:odsign_prop:s0 exact bool
 odsign.verification.success u:object_r:odsign_prop:s0 exact bool