Storaged permissions for task I/O
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate
Bug: 32221677
Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
diff --git a/private/domain.te b/private/domain.te
index c975ce6..b0c7ac7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -5,6 +5,7 @@
-debuggerd
-vold
-dumpstate
+ -storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index a54591d..6a66293 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -13,3 +13,7 @@
allow dumpstate debugfs_tracing:file rw_file_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
diff --git a/private/service_contexts b/private/service_contexts
index 2f31393..5414f11 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -133,6 +133,7 @@
sip u:object_r:radio_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index e9a959c..bf5c242 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,5 +1,5 @@
# storaged daemon
-type storaged, domain;
+type storaged, domain, mlstrustedsubject;
type storaged_exec, exec_type, file_type;
init_daemon_domain(storaged)
@@ -11,9 +11,22 @@
allow storaged proc:dir r_dir_perms;
r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
+r_dir_file(storaged, domain)
-# Read access to debugfs
-allow storaged debugfs_mmc:dir search;
-allow storaged debugfs_mmc:file r_file_perms;
+allow storaged self:capability { setgid setuid sys_nice sys_ptrace };
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+')
+# Binder permissions
+allow storaged storaged_service:service_manager add;
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
diff --git a/public/service.te b/public/service.te
index 550f79b..376208e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,6 +19,7 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type storaged_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;