hal_configstore: use crash_dump fallback path

Configstore HAL uses a seccomp filter which blocks the standard path of execing crash_dump to collect crash data. Add permission to use crash_dump's fallback mechanism. Allowing configstore to write to the socket provided by tombstoned required either exempting configstore from a neverallow rule, or removing the neverallow rule entirely. Since the neverallow rule could potentially prevent partners for doing security hardening, it has been removed. Bug: 64768925 Bug: 36453956 Test: killall -ABRT android.hardware.configstore@1.1-service Results in a call stack in logcat, and tombstone in /data/tombstones Test: configstore runs without crashing Test: SANITIZE_TARGET="address coverage" make vts -j64 vts-tradefedrun commandAndExit vts --skip-all-system-status-check \ -primary-abi-only --skip-preconditions -l VERBOSE --module \ VtsHalConfigstoreV1_0IfaceFuzzer Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6

hal_configstore: use crash_dump fallback path
Configstore HAL uses a seccomp filter which blocks the standard path of execing crash_dump to collect crash data. Add permission to use crash_dump's fallback mechanism. Allowing configstore to write to the socket provided by tombstoned required either exempting configstore from a neverallow rule, or removing the neverallow rule entirely. Since the neverallow rule could potentially prevent partners for doing security hardening, it has been removed. Bug: 64768925 Bug: 36453956 Test: killall -ABRT android.hardware.configstore@1.1-service Results in a call stack in logcat, and tombstone in /data/tombstones Test: configstore runs without crashing Test: SANITIZE_TARGET="address coverage" make vts -j64 vts-tradefedrun commandAndExit vts --skip-all-system-status-check \ -primary-abi-only --skip-preconditions -l VERBOSE --module \ VtsHalConfigstoreV1_0IfaceFuzzer Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6
9924d782 · Jeff Vander Stoep · f8d82b67 · 9924d782 · 9924d782
Commit 9924d782 authored 7 years ago by Jeff Vander Stoep
--- a/public/domain.te
+++ b/public/domain.te
@@ -775,13 +775,6 @@ neverallow {
  -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
-neverallow {
-  domain
-  -crash_dump
-  -mediacodec
-  -mediaextractor
-} tombstoned_crash_socket:sock_file write;
 # Never allow anyone except dumpstate or the system server to connect or write to
 # the tombstoned intercept socket.
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;

--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -8,6 +8,10 @@ add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # this HAL should be restricted to different clients. Thus, the allow rules for
 # clients are defined in the .te files of the clients.
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
 ###
 ### neverallow rules
 ###
@@ -33,11 +37,14 @@ neverallow hal_configstore_server {
  -hal_configstore_server
  -logd
  userdebug_or_eng(`-su')
+  -tombstoned
 }:{ unix_dgram_socket unix_stream_socket } *;
 # Should never need access to anything on /data
 neverallow hal_configstore_server {
  data_file_type
+  -anr_data_file # for crash dump collection
+  -tombstone_data_file # for crash dump collection
  -zoneinfo_data_file # granted to domain
 }:{ file fifo_file sock_file } *;