From 2843f2a79b01a916b8f277fa194656031a3837f9 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Mon, 18 Mar 2024 22:14:47 +0800 Subject: [PATCH] Centralize SELinux policies for deamons and apps related to ramdumps and coredumps according to go/pixel-defrag. They include the domains: 1. dump_ramdump 2. ramdump 3. ramdump_app 4. sscoredump 5. ssr_detector_app We copy policies of domains of ramdump and sscoredump from hardware/google/pixel-sepolicy to gs-common but don't remove them there to keep compatibility for other projects. New SELinux policies: 1. Create a new file context of /data/vendor/ssrdump/logcat for SSRestartDetector to write device logs when it detects new coredumps. 2. RamdumpService will also access the path to compress device logs to zip files of coredumps. Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7d7c8ebaeb07288f43bf507de3cd8919984337da) Merged-In: I02c2e1569a95ea90901d9476ef75bca74a4f43e1 Change-Id: I02c2e1569a95ea90901d9476ef75bca74a4f43e1 --- ramdump/ramdump.mk | 3 -- ramdump/sepolicy/file_contexts | 2 - {ramdump => ramdump_and_coredump}/Android.bp | 0 .../dump_ramdump.cpp | 0 ramdump_and_coredump/ramdump_and_coredump.mk | 18 +++++++ ramdump_and_coredump/sepolicy/bug_map | 3 ++ ramdump_and_coredump/sepolicy/device.te | 1 + .../sepolicy/dump_ramdump.te | 0 ramdump_and_coredump/sepolicy/file.te | 15 ++++++ ramdump_and_coredump/sepolicy/file_contexts | 17 +++++++ ramdump_and_coredump/sepolicy/genfs_contexts | 1 + ramdump_and_coredump/sepolicy/property.te | 2 + .../sepolicy/property_contexts | 3 ++ ramdump_and_coredump/sepolicy/ramdump.te | 48 +++++++++++++++++++ ramdump_and_coredump/sepolicy/ramdump_app.te | 26 ++++++++++ ramdump_and_coredump/sepolicy/seapp_contexts | 5 ++ ramdump_and_coredump/sepolicy/sscoredump.te | 18 +++++++ .../sepolicy/ssr_detector_app.te | 27 +++++++++++ 18 files changed, 184 insertions(+), 5 deletions(-) delete mode 100644 ramdump/ramdump.mk delete mode 100644 ramdump/sepolicy/file_contexts rename {ramdump => ramdump_and_coredump}/Android.bp (100%) rename {ramdump => ramdump_and_coredump}/dump_ramdump.cpp (100%) create mode 100644 ramdump_and_coredump/ramdump_and_coredump.mk create mode 100644 ramdump_and_coredump/sepolicy/bug_map create mode 100644 ramdump_and_coredump/sepolicy/device.te rename {ramdump => ramdump_and_coredump}/sepolicy/dump_ramdump.te (100%) create mode 100644 ramdump_and_coredump/sepolicy/file.te create mode 100644 ramdump_and_coredump/sepolicy/file_contexts create mode 100644 ramdump_and_coredump/sepolicy/genfs_contexts create mode 100644 ramdump_and_coredump/sepolicy/property.te create mode 100644 ramdump_and_coredump/sepolicy/property_contexts create mode 100644 ramdump_and_coredump/sepolicy/ramdump.te create mode 100644 ramdump_and_coredump/sepolicy/ramdump_app.te create mode 100644 ramdump_and_coredump/sepolicy/seapp_contexts create mode 100644 ramdump_and_coredump/sepolicy/sscoredump.te create mode 100644 ramdump_and_coredump/sepolicy/ssr_detector_app.te diff --git a/ramdump/ramdump.mk b/ramdump/ramdump.mk deleted file mode 100644 index 5b34a67..0000000 --- a/ramdump/ramdump.mk +++ /dev/null @@ -1,3 +0,0 @@ -PRODUCT_PACKAGES_DEBUG += dump_ramdump - -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump/sepolicy diff --git a/ramdump/sepolicy/file_contexts b/ramdump/sepolicy/file_contexts deleted file mode 100644 index 726f69d..0000000 --- a/ramdump/sepolicy/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# dumpstate -/vendor/bin/dump/dump_ramdump u:object_r:dump_ramdump_exec:s0 diff --git a/ramdump/Android.bp b/ramdump_and_coredump/Android.bp similarity index 100% rename from ramdump/Android.bp rename to ramdump_and_coredump/Android.bp diff --git a/ramdump/dump_ramdump.cpp b/ramdump_and_coredump/dump_ramdump.cpp similarity index 100% rename from ramdump/dump_ramdump.cpp rename to ramdump_and_coredump/dump_ramdump.cpp diff --git a/ramdump_and_coredump/ramdump_and_coredump.mk b/ramdump_and_coredump/ramdump_and_coredump.mk new file mode 100644 index 0000000..24af44e --- /dev/null +++ b/ramdump_and_coredump/ramdump_and_coredump.mk @@ -0,0 +1,18 @@ +PRODUCT_PACKAGES += \ + sscoredump \ + +PRODUCT_PACKAGES_DEBUG += \ + dump_ramdump \ + ramdump \ + +# When not AOSP targets +ifeq (,$(filter aosp_%, $(TARGET_PRODUCT))) + PRODUCT_PACKAGES += SSRestartDetector + PRODUCT_PACKAGES_DEBUG += RamdumpUploader +endif + +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump_and_coredump/sepolicy + +# sscoredump +PRODUCT_PROPERTY_OVERRIDES += vendor.debug.ssrdump.type=sscoredump +PRODUCT_SOONG_NAMESPACES += vendor/google/tools/subsystem-coredump diff --git a/ramdump_and_coredump/sepolicy/bug_map b/ramdump_and_coredump/sepolicy/bug_map new file mode 100644 index 0000000..0554746 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/bug_map @@ -0,0 +1,3 @@ +ramdump vendor_hw_plat_prop file b/161103878 +ramdump public_vendor_default_prop file b/161103878 +ramdump proc_bootconfig file b/181615626 diff --git a/ramdump_and_coredump/sepolicy/device.te b/ramdump_and_coredump/sepolicy/device.te new file mode 100644 index 0000000..7614dd4 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/device.te @@ -0,0 +1 @@ +type sscoredump_device, dev_type; diff --git a/ramdump/sepolicy/dump_ramdump.te b/ramdump_and_coredump/sepolicy/dump_ramdump.te similarity index 100% rename from ramdump/sepolicy/dump_ramdump.te rename to ramdump_and_coredump/sepolicy/dump_ramdump.te diff --git a/ramdump_and_coredump/sepolicy/file.te b/ramdump_and_coredump/sepolicy/file.te new file mode 100644 index 0000000..10c3171 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/file.te @@ -0,0 +1,15 @@ +# ramdump: file +type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; +type ramdump_vendor_fs, fusefs_type, data_file_type, mlstrustedobject; + +# sscoredump: file +type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject; +type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject; + +# sscoredump: sysfs +type sysfs_sscoredump_level, sysfs_type, fs_type; # sscoredump level +type sysfs_sscoredump_subsystem_report_count, sysfs_type, fs_type; # subsystem report_count: per device explicit path + +# ssr_detector_app +type sscoredump_vendor_data_logcat_file, file_type, data_file_type, mlstrustedobject; diff --git a/ramdump_and_coredump/sepolicy/file_contexts b/ramdump_and_coredump/sepolicy/file_contexts new file mode 100644 index 0000000..747fc02 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/file_contexts @@ -0,0 +1,17 @@ +# dump_ramdump +/vendor/bin/dump/dump_ramdump u:object_r:dump_ramdump_exec:s0 + +# ramdump +/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 +/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 +/vendor/bin/ramdump u:object_r:ramdump_exec:s0 +/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0 + +# sscoredump +/data/vendor/ssrdump(/.*)? u:object_r:sscoredump_vendor_data_crashinfo_file:s0 +/data/vendor/ssrdump/coredump(/.*)? u:object_r:sscoredump_vendor_data_coredump_file:s0 +/dev/sscd_.* u:object_r:sscoredump_device:s0 +/vendor/bin/sscoredump u:object_r:sscoredump_exec:s0 + +# ssr_detector_app +/data/vendor/ssrdump/logcat(/.*)? u:object_r:sscoredump_vendor_data_logcat_file:s0 diff --git a/ramdump_and_coredump/sepolicy/genfs_contexts b/ramdump_and_coredump/sepolicy/genfs_contexts new file mode 100644 index 0000000..5a6e494 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /class/sscoredump/level u:object_r:sysfs_sscoredump_level:s0 diff --git a/ramdump_and_coredump/sepolicy/property.te b/ramdump_and_coredump/sepolicy/property.te new file mode 100644 index 0000000..e708b5a --- /dev/null +++ b/ramdump_and_coredump/sepolicy/property.te @@ -0,0 +1,2 @@ +# ramdump +vendor_internal_prop(vendor_ramdump_prop) diff --git a/ramdump_and_coredump/sepolicy/property_contexts b/ramdump_and_coredump/sepolicy/property_contexts new file mode 100644 index 0000000..a50f5a9 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/property_contexts @@ -0,0 +1,3 @@ +# ramdump +ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 +vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 diff --git a/ramdump_and_coredump/sepolicy/ramdump.te b/ramdump_and_coredump/sepolicy/ramdump.te new file mode 100644 index 0000000..d66139f --- /dev/null +++ b/ramdump_and_coredump/sepolicy/ramdump.te @@ -0,0 +1,48 @@ +type ramdump_exec, exec_type, vendor_file_type, file_type; +type ramdump, domain; + +userdebug_or_eng(` + init_daemon_domain(ramdump) + + set_prop(ramdump, vendor_ramdump_prop) + + # f2fs set pin file requires sys_admin + allow ramdump self:capability { sys_admin sys_rawio }; + + allow ramdump ramdump_vendor_data_file:dir create_dir_perms; + allow ramdump ramdump_vendor_data_file:file create_file_perms; + allow ramdump proc_cmdline:file r_file_perms; + + allow ramdump block_device:dir search; + allow ramdump misc_block_device:blk_file rw_file_perms; + allow ramdump userdata_block_device:blk_file rw_file_perms; + + # Allow ReadDefaultFstab(). + read_fstab(ramdump) + + # read /fstab.${ro.hardware} + allow ramdump rootfs:file r_file_perms; + + r_dir_file(ramdump, sysfs_type) + + # To access statsd. + hwbinder_use(ramdump) + get_prop(ramdump, hwservicemanager_prop) + get_prop(ramdump, boot_status_prop) + allow ramdump fwk_stats_hwservice:hwservice_manager find; + binder_call(ramdump, stats_service_server) + allow ramdump fwk_stats_service:service_manager find; + binder_use(ramdump) + + # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump. + allow ramdump fuse:filesystem relabelfrom; + allow ramdump fuse_device:chr_file rw_file_perms; + allow ramdump mnt_vendor_file:dir r_dir_perms; + allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton }; + allow ramdump ramdump_vendor_fs:filesystem { mount unmount relabelfrom relabelto }; + allow ramdump_vendor_mnt_file ramdump_vendor_fs:filesystem associate; + + # Access new Stats AIDL APIs (ag/13714907). + allow ramdump fwk_stats_service:service_manager find; + binder_call(ramdump, servicemanager) +') diff --git a/ramdump_and_coredump/sepolicy/ramdump_app.te b/ramdump_and_coredump/sepolicy/ramdump_app.te new file mode 100644 index 0000000..85d4bfd --- /dev/null +++ b/ramdump_and_coredump/sepolicy/ramdump_app.te @@ -0,0 +1,26 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_logcat_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_logcat_file:file r_file_perms; +') diff --git a/ramdump_and_coredump/sepolicy/seapp_contexts b/ramdump_and_coredump/sepolicy/seapp_contexts new file mode 100644 index 0000000..2618216 --- /dev/null +++ b/ramdump_and_coredump/sepolicy/seapp_contexts @@ -0,0 +1,5 @@ +# ramdump_app +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# ssr_detector_app +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user diff --git a/ramdump_and_coredump/sepolicy/sscoredump.te b/ramdump_and_coredump/sepolicy/sscoredump.te new file mode 100644 index 0000000..70d6e1b --- /dev/null +++ b/ramdump_and_coredump/sepolicy/sscoredump.te @@ -0,0 +1,18 @@ +type sscoredump, domain; +type sscoredump_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(sscoredump) + +set_prop(sscoredump, vendor_ssrdump_prop) + +allow sscoredump device:dir r_dir_perms; +allow sscoredump sscoredump_device:chr_file rw_file_perms; +allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms; +allow sscoredump sysfs_sscoredump_subsystem_report_count:file r_file_perms; + +userdebug_or_eng(` + allow sscoredump sysfs_sscoredump_level:file rw_file_perms; + allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms; +') diff --git a/ramdump_and_coredump/sepolicy/ssr_detector_app.te b/ramdump_and_coredump/sepolicy/ssr_detector_app.te new file mode 100644 index 0000000..ffd612a --- /dev/null +++ b/ramdump_and_coredump/sepolicy/ssr_detector_app.te @@ -0,0 +1,27 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + allow ssr_detector_app sscoredump_vendor_data_logcat_file:dir create_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_logcat_file:file create_file_perms; + get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version)