commit 985db6d8dd2a2168a1e9ee741d89e03a0e3a76b9
author Kweku Adams <kwekua@google.com> Mon Mar 12 16:21:40 2018 -0700
committer kwekua <kwekua@google.com> Wed Apr 04 16:00:23 2018 +0000
tree 05b03d96623cd5c57c5b28f0498ab1de9fa744ff
parent 38a84cf8da9099180fcad56389a87ae2a3ac7261

Allowing incidentd to get stack traces from processes.

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

private/incidentd.te

diff --git a/private/incidentd.te b/private/incidentd.te
index 22ff985..6b248f1 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -46,32 +46,47 @@
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
 
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
 
 # Read files in /proc
 allow incidentd {
+  proc_cmdline
+  proc_pipe_conf
   proc_stat
 }:file r_file_perms;
 
 # Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir create_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in incidentd/utils.c
 allow incidentd {
+  # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
   audioserver
   cameraserver
   drmserver
   inputflinger
-  mediacodec
   mediadrmserver
   mediaextractor
+  mediametrics
   mediaserver
   sdcardd
+  statsd
   surfaceflinger
+
+  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+  hal_audio_server
+  hal_bluetooth_server
+  hal_camera_server
+  hal_graphics_composer_server
+  hal_sensors_server
+  hal_vr_server
+  mediacodec # TODO(b/36375899): hal_omx_server
 }:process signal;
 
 # Allow incidentd to make binder calls to any binder service
@@ -79,7 +94,18 @@
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:global_capability_class_set sys_ptrace;
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+    # Send signals to processes
+    kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
 
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;