From 03ff9f91c148e51e18b3bdf81d2aa52dfb171067 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 14 Feb 2018 14:32:38 -0800
Subject: [PATCH] Ensure taking a bugreport generates no denials.

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb
---
 private/dumpstate.te         | 7 +++++++
 private/installd.te          | 4 ++++
 private/storaged.te          | 3 +++
 vendor/hal_camera_default.te | 4 ++++
 4 files changed, 18 insertions(+)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 8b72457e3..2c2a62f53 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -38,3 +38,10 @@ get_prop(dumpstate, boottime_prop)
 allow dumpstate {
   statsd
 }:process signal;
+
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
diff --git a/private/installd.te b/private/installd.te
index f74843dd1..055371631 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -16,3 +16,7 @@ domain_auto_trans(installd, idmap_exec, idmap)
 
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
diff --git a/private/storaged.te b/private/storaged.te
index a1e680217..7fe62868e 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -53,6 +53,9 @@ allow storaged package_native_service:service_manager find;
 # running as root. See b/35323867 #3.
 dontaudit storaged self:global_capability_class_set dac_override;
 
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
+
 ###
 ### neverallow
 ###
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 239e5c19b..5bc4a6191 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -5,3 +5,7 @@ type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+
+# For collecting bugreports.
+allow hal_camera_default dumpstate:fd use;
+allow hal_camera_default dumpstate:fifo_file write;
-- 
GitLab