From f39d286782e6c8259389ef5ecb5cf63fcfe42a4d Mon Sep 17 00:00:00 2001 From: Joel Galenson Date: Fri, 2 Mar 2018 14:14:09 -0800 Subject: [PATCH] Ensure taking a bugreport generates no denials. This commit adds new SELinux permissions and neverallow rules so that taking a bugreport does not produce any denials. Bug: 73256908 Test: Captured bugreports and verified that there were no denials. Merged-In: I84ed2be7438a4202d37ff91cb3846f491de29d70 Change-Id: I84ed2be7438a4202d37ff91cb3846f491de29d70 (cherry picked from commit d7854eb513f1533b0239baa81706b37a327cb529) --- sepolicy/vendor/dumpstate.te | 6 ++++++ sepolicy/vendor/file.te | 3 +++ sepolicy/vendor/file_contexts | 2 ++ sepolicy/vendor/genfs_contexts | 7 +++++++ sepolicy/vendor/hal_dumpstate_impl.te | 5 +++++ sepolicy/vendor/smlog_dump.te | 3 +++ sepolicy/vendor/vold.te | 1 + 7 files changed, 27 insertions(+) diff --git a/sepolicy/vendor/dumpstate.te b/sepolicy/vendor/dumpstate.te index 05c68ec6..ad385db0 100644 --- a/sepolicy/vendor/dumpstate.te +++ b/sepolicy/vendor/dumpstate.te @@ -12,3 +12,9 @@ userdebug_or_eng(` allow hal_dumpstate sysfs_batteryinfo:dir search; allow hal_dumpstate sysfs_batteryinfo:file rw_file_perms; + +# For collecting bugreports. +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate sysfs_scsi_devices_other:file r_file_perms; +allow dumpstate sysfs_devices_block_stat:file r_file_perms; +dontaudit dumpstate kernel:system module_request; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 2d4adebf..9f7faeff 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -11,6 +11,8 @@ type sysfs_msm_subsys_restart, sysfs_type, fs_type; type sysfs_rmtfs, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_scsi_devices_other, sysfs_type, fs_type; +type sysfs_devices_block_stat, sysfs_type, fs_type; type sysfs_timestamp_switch, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_usb_c, sysfs_type, fs_type; @@ -29,6 +31,7 @@ type debugfs_wlan, debugfs_type, fs_type; type debugfs_mdp, debugfs_type, fs_type; type debugfs_icnss, debugfs_type, fs_type; type debugfs_ufs, debugfs_type, fs_type; +type debugfs_dma_bufinfo, debugfs_type, fs_type; # /proc type proc_wifi_dbg, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 1079d070..16a27a6b 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -290,3 +290,5 @@ # b/70518189 vDSO experiments /sys/module/vdso/parameters u:object_r:sysfs_vdso:s0 + +/sys/devices/virtual/block/.*/stat u:object_r:sysfs_devices_block_stat:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 6434c9a6..7f05483c 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -12,6 +12,11 @@ genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_msm_subsy genfscon sysfs /android_touch u:object_r:sysfs_touch:s0 genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:2 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:3 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:4 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:5 u:object_r:sysfs_scsi_devices_other:s0 genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 @@ -90,3 +95,5 @@ genfscon debugfs /mdp u:object_r:debugfs_mdp:s0 genfscon debugfs /rmt_storage u:object_r:debugfs_rmt_storage:s0 genfscon debugfs /icnss u:object_r:debugfs_icnss:s0 genfscon debugfs /ufshcd0 u:object_r:debugfs_ufs:s0 + +genfscon debugfs /dma_buf/bufinfo u:object_r:debugfs_dma_bufinfo:s0 diff --git a/sepolicy/vendor/hal_dumpstate_impl.te b/sepolicy/vendor/hal_dumpstate_impl.te index 7815f71b..bcfc2673 100644 --- a/sepolicy/vendor/hal_dumpstate_impl.te +++ b/sepolicy/vendor/hal_dumpstate_impl.te @@ -65,3 +65,8 @@ allow hal_dumpstate_impl sysfs_touch:file rw_file_perms; # Access to UFS info allow hal_dumpstate_impl sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_dumpstate_impl sysfs_scsi_devices_0000:file r_file_perms; + +# For collecting bugreports. +allow hal_dumpstate_impl shell_data_file:file getattr; +userdebug_or_eng(`allow hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms;') +dontaudit hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms; diff --git a/sepolicy/vendor/smlog_dump.te b/sepolicy/vendor/smlog_dump.te index bc8d94b4..243a1def 100644 --- a/sepolicy/vendor/smlog_dump.te +++ b/sepolicy/vendor/smlog_dump.te @@ -24,4 +24,7 @@ userdebug_or_eng(` allow smlog_dump dumpstate:fd use; allow smlog_dump hal_dumpstate_impl:fd use; allow smlog_dump uio_device:chr_file rw_file_perms; + + # For collecting bugreports. + allow smlog_dump shell_data_file:file write; ') diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te index 80edf33c..be4eff39 100644 --- a/sepolicy/vendor/vold.te +++ b/sepolicy/vendor/vold.te @@ -1,6 +1,7 @@ get_prop(vold, tee_listener_prop) allow vold sysfs_scsi_devices_0000:file write; +allow vold sysfs_scsi_devices_other:file write; allow vold persist_file:dir r_dir_perms;