dumpstate: remove domain_deprecated attribute
Clean up "granted" logspam. Grant the observered audited permissions
including:
tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file
tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file
tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir
tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir
tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 4d1f2d0..e5feb9a 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -159,7 +159,6 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
- -dumpstate
-fsck
-fsck_untrusted
-rild
@@ -170,7 +169,6 @@
} proc:file r_file_perms;
auditallow {
domain_deprecated
- -dumpstate
-fsck
-fsck_untrusted
-rild
@@ -179,7 +177,6 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
- -dumpstate
-fingerprintd
-healthd
-netd
@@ -223,7 +220,6 @@
auditallow {
domain_deprecated
-appdomain
- -dumpstate
-fingerprintd
-healthd
-inputflinger
@@ -238,7 +234,6 @@
auditallow {
domain_deprecated
-appdomain
- -dumpstate
-fingerprintd
-healthd
-inputflinger
diff --git a/public/dumpstate.te b/public/dumpstate.te
index d8801ea..39bd85f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
@@ -28,6 +28,9 @@
allow dumpstate system_file:file execute_no_trans;
allow dumpstate toolbox_exec:file rx_file_perms;
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
@@ -81,10 +84,19 @@
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
@@ -136,7 +148,8 @@
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
-# Read /proc and /proc/net
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
r_dir_file(dumpstate, proc)
@@ -198,6 +211,9 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
###
### neverallow rules
###