Merge "Centralize SELinux policies for deamons and apps related to ramdumps and coredumps according to go/pixel-defrag." into 24D1-dev

ramdump/ramdump.mk

@@ -1,3 +0,0 @@
-PRODUCT_PACKAGES_DEBUG += dump_ramdump
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump/sepolicy

ramdump/sepolicy/file_contexts

@@ -1,2 +0,0 @@
-# dumpstate
-/vendor/bin/dump/dump_ramdump           u:object_r:dump_ramdump_exec:s0

ramdump_and_coredump/ramdump_and_coredump.mk

@@ -0,0 +1,18 @@
+PRODUCT_PACKAGES += \
+  sscoredump \
+
+PRODUCT_PACKAGES_DEBUG += \
+    dump_ramdump \
+    ramdump \
+
+# When not AOSP targets
+ifeq (,$(filter aosp_%, $(TARGET_PRODUCT)))
+  PRODUCT_PACKAGES += SSRestartDetector
+  PRODUCT_PACKAGES_DEBUG += RamdumpUploader
+endif
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump_and_coredump/sepolicy
+
+# sscoredump
+PRODUCT_PROPERTY_OVERRIDES += vendor.debug.ssrdump.type=sscoredump
+PRODUCT_SOONG_NAMESPACES += vendor/google/tools/subsystem-coredump

ramdump_and_coredump/sepolicy/bug_map

@@ -0,0 +1,3 @@
+ramdump vendor_hw_plat_prop file b/161103878
+ramdump public_vendor_default_prop file b/161103878
+ramdump proc_bootconfig file b/181615626

ramdump_and_coredump/sepolicy/device.te

@@ -0,0 +1 @@
+type sscoredump_device, dev_type;

ramdump_and_coredump/sepolicy/file.te

@@ -0,0 +1,15 @@
+# ramdump: file
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_fs, fusefs_type, data_file_type, mlstrustedobject;
+
+# sscoredump: file
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# sscoredump: sysfs
+type sysfs_sscoredump_level, sysfs_type, fs_type;                  # sscoredump level
+type sysfs_sscoredump_subsystem_report_count, sysfs_type, fs_type; # subsystem report_count: per device explicit path
+
+# ssr_detector_app
+type sscoredump_vendor_data_logcat_file, file_type, data_file_type, mlstrustedobject;

ramdump_and_coredump/sepolicy/file_contexts

@@ -0,0 +1,17 @@
+# dump_ramdump
+/vendor/bin/dump/dump_ramdump           u:object_r:dump_ramdump_exec:s0
+
+# ramdump
+/data/vendor/ramdump(/.*)?                u:object_r:ramdump_vendor_data_file:s0
+/mnt/vendor/ramdump(/.*)?                 u:object_r:ramdump_vendor_mnt_file:s0
+/vendor/bin/ramdump                       u:object_r:ramdump_exec:s0
+/vendor/bin/ramdump32                     u:object_r:ramdump_exec:s0
+
+# sscoredump
+/data/vendor/ssrdump(/.*)?             u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)?    u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.*                           u:object_r:sscoredump_device:s0
+/vendor/bin/sscoredump                 u:object_r:sscoredump_exec:s0
+
+# ssr_detector_app
+/data/vendor/ssrdump/logcat(/.*)?      u:object_r:sscoredump_vendor_data_logcat_file:s0

ramdump_and_coredump/sepolicy/genfs_contexts

@@ -0,0 +1 @@
+genfscon sysfs /class/sscoredump/level u:object_r:sysfs_sscoredump_level:s0

ramdump_and_coredump/sepolicy/property.te

@@ -0,0 +1,2 @@
+# ramdump
+vendor_internal_prop(vendor_ramdump_prop)

ramdump_and_coredump/sepolicy/property_contexts

@@ -0,0 +1,3 @@
+# ramdump
+ro.boot.ramdump                           u:object_r:vendor_ramdump_prop:s0
+vendor.debug.ramdump.                     u:object_r:vendor_ramdump_prop:s0

ramdump_and_coredump/sepolicy/ramdump.te

@@ -0,0 +1,48 @@
+type ramdump_exec, exec_type, vendor_file_type, file_type;
+type ramdump, domain;
+
+userdebug_or_eng(`
+  init_daemon_domain(ramdump)
+
+  set_prop(ramdump, vendor_ramdump_prop)
+
+  # f2fs set pin file requires sys_admin
+  allow ramdump self:capability { sys_admin sys_rawio };
+
+  allow ramdump ramdump_vendor_data_file:dir create_dir_perms;
+  allow ramdump ramdump_vendor_data_file:file create_file_perms;
+  allow ramdump proc_cmdline:file r_file_perms;
+
+  allow ramdump block_device:dir search;
+  allow ramdump misc_block_device:blk_file rw_file_perms;
+  allow ramdump userdata_block_device:blk_file rw_file_perms;
+
+  # Allow ReadDefaultFstab().
+  read_fstab(ramdump)
+
+  # read /fstab.${ro.hardware}
+  allow ramdump rootfs:file r_file_perms;
+
+  r_dir_file(ramdump, sysfs_type)
+
+  # To access statsd.
+  hwbinder_use(ramdump)
+  get_prop(ramdump, hwservicemanager_prop)
+  get_prop(ramdump, boot_status_prop)
+  allow ramdump fwk_stats_hwservice:hwservice_manager find;
+  binder_call(ramdump, stats_service_server)
+  allow ramdump fwk_stats_service:service_manager find;
+  binder_use(ramdump)
+
+  # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+  allow ramdump fuse:filesystem relabelfrom;
+  allow ramdump fuse_device:chr_file rw_file_perms;
+  allow ramdump mnt_vendor_file:dir r_dir_perms;
+  allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+  allow ramdump ramdump_vendor_fs:filesystem { mount unmount relabelfrom relabelto };
+  allow ramdump_vendor_mnt_file ramdump_vendor_fs:filesystem associate;
+
+  # Access new Stats AIDL APIs (ag/13714907).
+  allow ramdump fwk_stats_service:service_manager find;
+  binder_call(ramdump, servicemanager)
+')

ramdump_and_coredump/sepolicy/ramdump_app.te

@@ -0,0 +1,26 @@
+type ramdump_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ramdump_app)
+
+  allow ramdump_app app_api_service:service_manager find;
+
+  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
+  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
+
+  set_prop(ramdump_app, vendor_ramdump_prop)
+  get_prop(ramdump_app, system_boot_reason_prop)
+
+  # To access ramdumpfs.
+  allow ramdump_app mnt_vendor_file:dir search;
+  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
+  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
+
+  # To access subsystem ramdump files and dirs.
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+  allow ramdump_app sscoredump_vendor_data_logcat_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_logcat_file:file r_file_perms;
+')

ramdump_and_coredump/sepolicy/seapp_contexts

@@ -0,0 +1,5 @@
+# ramdump_app
+user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
+
+# ssr_detector_app
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user

ramdump_and_coredump/sepolicy/sscoredump.te

@@ -0,0 +1,18 @@
+type sscoredump, domain;
+type sscoredump_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(sscoredump)
+
+set_prop(sscoredump, vendor_ssrdump_prop)
+
+allow sscoredump device:dir r_dir_perms;
+allow sscoredump sscoredump_device:chr_file rw_file_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+allow sscoredump sysfs_sscoredump_subsystem_report_count:file r_file_perms;
+
+userdebug_or_eng(`
+  allow sscoredump sysfs_sscoredump_level:file rw_file_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
+')

ramdump_and_coredump/sepolicy/ssr_detector_app.te

@@ -0,0 +1,27 @@
+type ssr_detector_app, domain;
+
+app_domain(ssr_detector_app)
+allow ssr_detector_app app_api_service:service_manager find;
+allow ssr_detector_app radio_service:service_manager find;
+
+allow ssr_detector_app system_app_data_file:dir create_dir_perms;
+allow ssr_detector_app system_app_data_file:file create_file_perms;
+
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+
+userdebug_or_eng(`
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+  allow ssr_detector_app sscoredump_vendor_data_logcat_file:dir create_dir_perms;
+  allow ssr_detector_app sscoredump_vendor_data_logcat_file:file create_file_perms;
+  get_prop(ssr_detector_app, vendor_aoc_prop)
+  allow ssr_detector_app sysfs_sjtag:dir r_dir_perms;
+  allow ssr_detector_app sysfs_sjtag:file rw_file_perms;
+  allow ssr_detector_app proc_vendor_sched:dir search;
+  allow ssr_detector_app proc_vendor_sched:file rw_file_perms;
+  allow ssr_detector_app cgroup:file write;
+')
+
+get_prop(ssr_detector_app, vendor_ssrdump_prop)
+get_prop(ssr_detector_app, vendor_wifi_version)