From de3a3e41560314a3fda35adddf0f2328dd9e3a1a Mon Sep 17 00:00:00 2001
From: Mike Ma <yanmin@google.com>
Date: Mon, 3 Dec 2018 10:35:40 -0800
Subject: [PATCH] Allow dumpstate to dump incidentd

An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
---
 private/dumpstate.te       | 3 +++
 private/incident_helper.te | 4 ++--
 private/incidentd.te       | 9 +++++----
 public/dumpstate.te        | 2 --
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 293998d98..5cba2cdf9 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -22,6 +22,9 @@ userdebug_or_eng(`
   allow dumpstate wm_trace_data_file:file r_file_perms;
 ')
 
+# Allow dumpstate to make binder calls to incidentd
+binder_call(dumpstate, incidentd)
+
 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)
 
diff --git a/private/incident_helper.te b/private/incident_helper.te
index 078aa246b..b45385568 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -6,8 +6,8 @@ type incident_helper_exec, system_file_type, exec_type, file_type;
 domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
 
 # use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd }:fd use;
-allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper { shell incident incidentd dumpstate }:fd use;
+allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
 allow incident_helper incidentd:unix_stream_socket { read write };
 
 # only allow incidentd and shell to call incident_helper
diff --git a/private/incidentd.te b/private/incidentd.te
index 4e80bdd9d..ad6fbf3b3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -134,9 +134,9 @@ allow incidentd {
 # Only incidentd can publish the binder service
 add_service(incidentd, incident_service)
 
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;
 
 # Allow incident to call back to incident with status updates.
 binder_call(incidentd, incident)
@@ -145,9 +145,10 @@ binder_call(incidentd, incident)
 ### neverallow rules
 ###
 
-# only system_server, system_app and incident command can find the incident service
+# only dumpstate, system_server, system_app and incident command can find the incident service
 neverallow {
   domain
+  -dumpstate
   -incident
   -incidentd
   -statsd
diff --git a/public/dumpstate.te b/public/dumpstate.te
index af6956ef3..cd3310aee 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,7 +209,6 @@ allow dumpstate {
   -apex_service
   -dumpstate_service
   -gatekeeper_service
-  -incident_service
   -iorapd_service
   -virtual_touchpad_service
   -vold_service
@@ -220,7 +219,6 @@ dontaudit dumpstate {
   apex_service
   dumpstate_service
   gatekeeper_service
-  incident_service
   iorapd_service
   virtual_touchpad_service
   vold_service
-- 
GitLab