From 11bfcc1e96d9ede3d5aaa586630d154e73a7214a Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Mon, 15 May 2017 18:39:16 +0100
Subject: [PATCH] SEPolicy: Changes for new stack dumping scheme.

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f
---
 private/app.te           | 14 +++++++++++++-
 private/file_contexts    |  1 +
 private/system_server.te | 13 +++++++++++++
 public/domain.te         |  7 ++++++-
 public/file.te           |  1 +
 public/tombstoned.te     | 13 +++++++++----
 6 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/private/app.te b/private/app.te
index 0bc5fdd97..ee440eec4 100644
--- a/private/app.te
+++ b/private/app.te
@@ -138,10 +138,22 @@ allow appdomain shortcut_manager_icons:file { getattr read };
 # Read icon file (opened by system).
 allow appdomain icon_file:file { getattr read };
 
-# Write to /data/anr/traces.txt.
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces.
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
diff --git a/private/file_contexts b/private/file_contexts
index 73f4a7faf..691605a4e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -146,6 +146,7 @@
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
 /dev/socket/uncrypt	u:object_r:uncrypt_socket:s0
 /dev/socket/vold	u:object_r:vold_socket:s0
diff --git a/private/system_server.te b/private/system_server.te
index c51c04082..90401d348 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -330,9 +330,22 @@ allow system_server asec_apk_file:file create_file_perms;
 allow system_server asec_public_file:file create_file_perms;
 
 # Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
 allow system_server anr_data_file:dir create_dir_perms;
 allow system_server anr_data_file:file create_file_perms;
 
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
 allow system_server incident_data_file:file read;
diff --git a/public/domain.te b/public/domain.te
index 1957d1e2f..4b41c7e64 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -771,14 +771,19 @@ neverallow {
   # Processes that can't exec crash_dump
   -mediacodec
   -mediaextractor
-} tombstoned:unix_stream_socket connectto;
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
 neverallow {
   domain
   -crash_dump
   -mediacodec
   -mediaextractor
 } tombstoned_crash_socket:sock_file write;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
 neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
 
 # Android does not support System V IPCs.
 #
diff --git a/public/file.te b/public/file.te
index 79f2c09e7..bf8223a5e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -272,6 +272,7 @@ type rild_debug_socket, file_type;
 type system_wpa_socket, file_type, coredomain_socket;
 type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type vold_socket, file_type, coredomain_socket;
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 37243bb66..cf3ddcba9 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -10,8 +10,13 @@ allow tombstoned domain:dir r_dir_perms;
 allow tombstoned domain:file r_file_perms;
 allow tombstoned tombstone_data_file:dir rw_dir_perms;
 allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
 
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };
-- 
GitLab