From 2e7a301fad5b6065e2d364170a80bc58bc41aab0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 10 Jan 2014 23:05:25 -0800
Subject: [PATCH] Address bug report denials.

Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
---
 app.te                 | 3 ++-
 binderservicedomain.te | 1 +
 media_app.te           | 1 +
 nfc.te                 | 1 +
 radio.te               | 1 +
 surfaceflinger.te      | 1 -
 system_app.te          | 1 +
 7 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index 1ee307550..b6701693b 100644
--- a/app.te
+++ b/app.te
@@ -78,6 +78,7 @@ allow appdomain anr_data_file:file { open append };
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
@@ -321,7 +322,7 @@ neverallow { appdomain -platform_app -unconfineddomain }
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -shell -unconfineddomain }
     shell_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
+    { create setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -bluetooth -unconfineddomain }
     bluetooth_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/binderservicedomain.te b/binderservicedomain.te
index cf2943da6..599030145 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
 # Allow dumpstate to collect information from binder services
 allow binderservicedomain dumpstate:fd use;
 allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain shell_data_file:file { getattr write };
 
 # Allow dumpsys to work from adb shell
 allow binderservicedomain devpts:chr_file rw_file_perms;
diff --git a/media_app.te b/media_app.te
index 830cbd5bb..65f38636b 100644
--- a/media_app.te
+++ b/media_app.te
@@ -5,6 +5,7 @@
 type media_app, domain;
 app_domain(media_app)
 platform_app_domain(media_app)
+binder_service(media_app)
 # Access the network.
 net_domain(media_app)
 # Access /dev/mtp_usb.
diff --git a/nfc.te b/nfc.te
index 9a354bb58..ca7a89d97 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
 # nfc subsystem
 type nfc, domain;
 app_domain(nfc)
+binder_service(nfc)
 
 # NFC device access.
 allow nfc nfc_device:chr_file rw_file_perms;
diff --git a/radio.te b/radio.te
index a119d75cf..d5bf42b19 100644
--- a/radio.te
+++ b/radio.te
@@ -3,6 +3,7 @@ type radio, domain;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
+binder_service(radio)
 
 # Talks to init via the property socket.
 unix_socket_connect(radio, property, init)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index edbe22ff2..24c20ebfc 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -43,7 +43,6 @@ allow surfaceflinger bootanim:fd use;
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
-allow surfaceflinger shell_data_file:file write;
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
diff --git a/system_app.te b/system_app.te
index 41e446be8..a80cc4548 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
 type system_app, domain;
 permissive_or_unconfined(system_app)
 app_domain(system_app)
+binder_service(system_app)
 
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)
-- 
GitLab