Allow dumpstate to dump incidentd

An incident.proto section has been added to the bugreport. Need appropriate sepolicy changes to allow binder calls and fd access. Bug: 119417232 Test: adb bugreport. Verify incident.proto is in the proto folder, and there are no sepolicy violations. Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e

Allow dumpstate to dump incidentd
An incident.proto section has been added to the bugreport. Need appropriate sepolicy changes to allow binder calls and fd access. Bug: 119417232 Test: adb bugreport. Verify incident.proto is in the proto folder, and there are no sepolicy violations. Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
de3a3e41 · Mike Ma · 3350a794 · de3a3e41 · de3a3e41 · de3a3e41
Commit de3a3e41 authored 6 years ago by Mike Ma
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -22,6 +22,9 @@ userdebug_or_eng(`
  allow dumpstate wm_trace_data_file:file r_file_perms;
 ')

+# Allow dumpstate to make binder calls to incidentd
+binder_call(dumpstate, incidentd)
+
 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)


--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -6,8 +6,8 @@ type incident_helper_exec, system_file_type, exec_type, file_type;
 domain_auto_trans(incidentd, incident_helper_exec, incident_helper)

 # use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd }:fd use;
-allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper { shell incident incidentd dumpstate }:fd use;
+allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
 allow incident_helper incidentd:unix_stream_socket { read write };

 # only allow incidentd and shell to call incident_helper

--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -134,9 +134,9 @@ allow incidentd {
 # Only incidentd can publish the binder service
 add_service(incidentd, incident_service)

-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;

 # Allow incident to call back to incident with status updates.
 binder_call(incidentd, incident)
@@ -145,9 +145,10 @@ binder_call(incidentd, incident)
 ### neverallow rules
 ###

-# only system_server, system_app and incident command can find the incident service
+# only dumpstate, system_server, system_app and incident command can find the incident service
 neverallow {
  domain
+  -dumpstate
  -incident
  -incidentd
  -statsd

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,7 +209,6 @@ allow dumpstate {
  -apex_service
  -dumpstate_service
  -gatekeeper_service
-  -incident_service
  -iorapd_service
  -virtual_touchpad_service
  -vold_service
@@ -220,7 +219,6 @@ dontaudit dumpstate {
  apex_service
  dumpstate_service
  gatekeeper_service
-  incident_service
  iorapd_service
  virtual_touchpad_service
  vold_service