From 90ae4f6b9304feadbe6fa635ce483d8b05208c8d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 2 Jul 2017 22:02:10 -0700
Subject: [PATCH] dumpstate: remove domain_deprecated attribute

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263
---
 public/domain_deprecated.te |  5 -----
 public/dumpstate.te         | 24 ++++++++++++++++++++----
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 4d1f2d0e3..e5feb9aab 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -159,7 +159,6 @@ allow domain_deprecated proc_meminfo:file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -rild
@@ -170,7 +169,6 @@ auditallow {
 } proc:file r_file_perms;
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -rild
@@ -179,7 +177,6 @@ auditallow {
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
-  -dumpstate
   -fingerprintd
   -healthd
   -netd
@@ -223,7 +220,6 @@ auditallow {
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
@@ -238,7 +234,6 @@ auditallow {
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
diff --git a/public/dumpstate.te b/public/dumpstate.te
index d8801ea3d..39bd85fa7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,5 +1,5 @@
 # dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
 type dumpstate_exec, exec_type, file_type;
 
 net_domain(dumpstate)
@@ -28,6 +28,9 @@ allow dumpstate self:capability {
 allow dumpstate system_file:file execute_no_trans;
 allow dumpstate toolbox_exec:file rx_file_perms;
 
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
@@ -81,10 +84,19 @@ allow dumpstate sysfs_usb:file w_file_perms;
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
+
+# df for
+allow dumpstate {
+  block_device
+  cache_file
+  rootfs
+  selinuxfs
+  storage_file
+  tmpfs
+}:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
@@ -136,7 +148,8 @@ read_logd(dumpstate)
 control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
-# Read /proc and /proc/net
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
@@ -198,6 +211,9 @@ add_service(dumpstate, dumpstate_service)
 # use /dev/ion for screen capture
 allow dumpstate ion_device:chr_file r_file_perms;
 
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
 ###
 ### neverallow rules
 ###
-- 
GitLab