Skip to content
Snippets Groups Projects
  • Joel Galenson's avatar
    Ensure taking a bugreport generates no denials. · ba0c279d
    Joel Galenson authored
    This commit adds new SELinux permissions and neverallow rules so that
    taking a bugreport does not produce any denials.
    
    Bug: 73256908
    Test: Captured bugreports on Sailfish and Walleye and verified
    that there were no denials.
    
    Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
    Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
    (cherry picked from commit daf1cdfa)
    ba0c279d
dumpstate.te 1.46 KiB
typeattribute dumpstate coredomain;

init_daemon_domain(dumpstate)

# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)

# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;

# TODO: deal with tmpfs_domain pub/priv split properly
allow dumpstate dumpstate_tmpfs:file execute;

# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;

# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
  allow dumpstate wm_trace_data_file:dir r_dir_perms;
  allow dumpstate wm_trace_data_file:file r_file_perms;
')

# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)

# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)

# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)

# Signal native processes to dump their stack.
allow dumpstate {
  statsd
}:process signal;

# For collecting bugreports.
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate perfprofd:binder call;
dontaudit dumpstate update_engine:binder call;