From 9924d782ef31759e48b7d95bafff218ec98d5ae0 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 22 Aug 2017 10:19:05 -0700
Subject: [PATCH] hal_configstore: use crash_dump fallback path

Configstore HAL uses a seccomp filter which blocks the standard
path of execing crash_dump to collect crash data. Add permission
to use crash_dump's fallback mechanism.

Allowing configstore to write to the socket provided by tombstoned
required either exempting configstore from a neverallow rule, or
removing the neverallow rule entirely. Since the neverallow rule
could potentially prevent partners for doing security hardening,
it has been removed.

Bug: 64768925
Bug: 36453956

Test: killall -ABRT android.hardware.configstore@1.1-service
    Results in a call stack in logcat, and tombstone in
    /data/tombstones
Test: configstore runs without crashing
Test: SANITIZE_TARGET="address coverage" make vts -j64
    vts-tradefedrun commandAndExit vts --skip-all-system-status-check \
    -primary-abi-only --skip-preconditions -l VERBOSE --module \
    VtsHalConfigstoreV1_0IfaceFuzzer

Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6
---
 public/domain.te          | 7 -------
 public/hal_configstore.te | 7 +++++++
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index e550485ee..0ea69d740 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -775,13 +775,6 @@ neverallow {
   -mediaextractor
 } tombstoned_crash_socket:unix_stream_socket connectto;
 
-neverallow {
-  domain
-  -crash_dump
-  -mediacodec
-  -mediaextractor
-} tombstoned_crash_socket:sock_file write;
-
 # Never allow anyone except dumpstate or the system server to connect or write to
 # the tombstoned intercept socket.
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 795592ff3..d5f2ef6fe 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -8,6 +8,10 @@ add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # this HAL should be restricted to different clients. Thus, the allow rules for
 # clients are defined in the .te files of the clients.
 
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
 ###
 ### neverallow rules
 ###
@@ -33,11 +37,14 @@ neverallow hal_configstore_server {
   -hal_configstore_server
   -logd
   userdebug_or_eng(`-su')
+  -tombstoned
 }:{ unix_dgram_socket unix_stream_socket } *;
 
 # Should never need access to anything on /data
 neverallow hal_configstore_server {
   data_file_type
+  -anr_data_file # for crash dump collection
+  -tombstone_data_file # for crash dump collection
   -zoneinfo_data_file # granted to domain
 }:{ file fifo_file sock_file } *;
 
-- 
GitLab