Ensure taking a bugreport generates no denials.

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports and verified that there were no denials.
Change-Id: I84ed2be7438a4202d37ff91cb3846f491de29d70

sepolicy/vendor/dumpstate.te

@@ -12,3 +12,9 @@ userdebug_or_eng(`
 
 allow hal_dumpstate sysfs_batteryinfo:dir search;
 allow hal_dumpstate sysfs_batteryinfo:file rw_file_perms;
+
+# For collecting bugreports.
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate sysfs_scsi_devices_other:file r_file_perms;
+allow dumpstate sysfs_devices_block_stat:file r_file_perms;
+dontaudit dumpstate kernel:system module_request;

sepolicy/vendor/file.te

@@ -11,6 +11,8 @@ type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
 type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type sysfs_scsi_devices_other, sysfs_type, fs_type;
+type sysfs_devices_block_stat, sysfs_type, fs_type;
 type sysfs_timestamp_switch, sysfs_type, fs_type;
 type sysfs_touch, sysfs_type, fs_type;
 type sysfs_usb_c, sysfs_type, fs_type;
@@ -29,6 +31,7 @@ type debugfs_wlan, debugfs_type, fs_type;
 type debugfs_mdp, debugfs_type, fs_type;
 type debugfs_icnss, debugfs_type, fs_type;
 type debugfs_ufs, debugfs_type, fs_type;
+type debugfs_dma_bufinfo, debugfs_type, fs_type;
 
 # /proc
 type proc_wifi_dbg, fs_type;

sepolicy/vendor/file_contexts

@@ -290,3 +290,5 @@
 
 # b/70518189 vDSO experiments
 /sys/module/vdso/parameters  u:object_r:sysfs_vdso:s0
+
+/sys/devices/virtual/block/.*/stat u:object_r:sysfs_devices_block_stat:s0

sepolicy/vendor/genfs_contexts

@@ -12,6 +12,11 @@ genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4      u:object_r:sysfs_msm_subsy
 genfscon sysfs /android_touch                         u:object_r:sysfs_touch:s0
 
 genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:2 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:3 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:4 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:5 u:object_r:sysfs_scsi_devices_other:s0
 
 genfscon sysfs /class/rfkill/rfkill0/state            u:object_r:sysfs_bluetooth_writable:s0
 
@@ -90,3 +95,5 @@ genfscon debugfs /mdp                                 u:object_r:debugfs_mdp:s0
 genfscon debugfs /rmt_storage                         u:object_r:debugfs_rmt_storage:s0
 genfscon debugfs /icnss                               u:object_r:debugfs_icnss:s0
 genfscon debugfs /ufshcd0                             u:object_r:debugfs_ufs:s0
+
+genfscon debugfs /dma_buf/bufinfo                     u:object_r:debugfs_dma_bufinfo:s0

sepolicy/vendor/hal_dumpstate_impl.te

@@ -65,3 +65,8 @@ allow hal_dumpstate_impl sysfs_touch:file rw_file_perms;
 # Access to UFS info
 allow hal_dumpstate_impl sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_impl sysfs_scsi_devices_0000:file r_file_perms;
+
+# For collecting bugreports.
+allow hal_dumpstate_impl shell_data_file:file getattr;
+userdebug_or_eng(`allow hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms;')
+dontaudit hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms;

sepolicy/vendor/smlog_dump.te

@@ -24,4 +24,7 @@ userdebug_or_eng(`
   allow smlog_dump dumpstate:fd use;
   allow smlog_dump hal_dumpstate_impl:fd use;
   allow smlog_dump uio_device:chr_file rw_file_perms;
+
+  # For collecting bugreports.
+  allow smlog_dump shell_data_file:file write;
 ')

sepolicy/vendor/vold.te

@@ -1,6 +1,7 @@
 get_prop(vold, tee_listener_prop)
 
 allow vold sysfs_scsi_devices_0000:file write;
+allow vold sysfs_scsi_devices_other:file write;
 
 allow vold persist_file:dir r_dir_perms;