From 14f3c709af052e9b546cfda0e2d9f188c5a42de8 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Thu, 27 Apr 2017 09:58:07 -0700 Subject: [PATCH] Adding allows and context for dumpstate denied { find } for service=android.service.gatekeeper.IGateKeeperService pid=14914 uid=2000 scontext=u:r:dumpstate:s0 tcontext=u:object_r:gatekeeper_service:s0 tclass=service_manager denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:update_engine:s0 tclass=binder denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder denied { use } for path="pipe:[231372]" dev="pipefs" ino=231372 scontext=u:r:hal_audio_default:s0 tcontext=u:r:dumpstate:s0 tclass=fd denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:per_mgr:s0 tclass=binder denied { read } for name="log" dev="debugfs" ino=32 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs:s0 tclass=file denied { read } for name="rpm_master_stats" dev="debugfs" ino=16914 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs_rpm:s0 tclass=file denied { read } for name="rpm_stats" dev="debugfs" ino=16912 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:debugfs_rpm:s0 tclass=file denied { read } for comm="top" name="stat" dev="proc" ino=4026532075 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file Bug: 34784662 Bug: 38292576 Test: The above denials are no longer present in adb bugreport Change-Id: I1def308765f818c04833e2127df1c9803ed2dc77 --- sepolicy/dumpstate.te | 3 ++- sepolicy/file.te | 3 ++- sepolicy/file_contexts | 1 + sepolicy/hal_dumpstate_impl.te | 3 +++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sepolicy/dumpstate.te b/sepolicy/dumpstate.te index 86444e32..ce328ce8 100644 --- a/sepolicy/dumpstate.te +++ b/sepolicy/dumpstate.te @@ -5,8 +5,9 @@ userdebug_or_eng(` allow dumpstate proc_stat:file r_file_perms; allow dumpstate persist_file:dir r_dir_perms; allow dumpstate sysfs_leds:dir search; - allow dumpstate system_block_device:blk_file r_file_perms; dontaudit dumpstate self:netlink_xfrm_socket create_socket_perms_no_ioctl; + + binder_call(dumpstate, per_mgr) ') diff --git a/sepolicy/file.te b/sepolicy/file.te index 6e334b65..dc75d313 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -12,11 +12,12 @@ type sysfs_soc, sysfs_type, fs_type; type debugfs_clk, debugfs_type, fs_type; type debugfs_ion, debugfs_type, fs_type; +type debugfs_ipc, debugfs_type, fs_type; type debugfs_kgsl, debugfs_type, fs_type; type debugfs_rpm, debugfs_type, fs_type; type debugfs_rmt_storage, debugfs_type, fs_type; type debugfs_usb, debugfs_type, fs_type; -type debugfs_ipc, debugfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; # /proc type proc_wifi_dbg, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 5c635c50..d21d3614 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -164,6 +164,7 @@ /sys/kernel/debug/rpm_stats u:object_r:debugfs_rpm:s0 /sys/kernel/debug/rpm_master_stats u:object_r:debugfs_rpm:s0 /sys/kernel/debug/ion(/.*)? u:object_r:debugfs_ion:s0 +/sys/kernel/debug/ipc_logging(/.*)? u:object_r:debugfs_ipc:s0 /sys/kernel/debug/system_stats u:object_r:debugfs_rpm:s0 /sys/kernel/debug/tcpm/usbpd0 u:object_r:debugfs_usb:s0 /sys/kernel/debug/pd_engine/usbpd0 u:object_r:debugfs_usb:s0 diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te index 9b5cc096..61ef8418 100644 --- a/sepolicy/hal_dumpstate_impl.te +++ b/sepolicy/hal_dumpstate_impl.te @@ -35,6 +35,9 @@ allow hal_dumpstate_impl sysfs_thermal:file r_file_perms; allow hal_dumpstate_impl debugfs_ion:dir r_dir_perms; allow hal_dumpstate_impl debugfs_ion:file r_file_perms; +allow hal_dumpstate_impl debugfs_rpm:file r_file_perms; +allow hal_dumpstate_impl debugfs_ipc:file r_file_perms; +allow hal_dumpstate_impl proc_stat:file r_file_perms; # Access to files for dumping allow hal_dumpstate_impl sysfs:dir r_dir_perms;