From bc24ba72839468ff76f46c47d27c2f07d98c8fd7 Mon Sep 17 00:00:00 2001
From: Yi Jin <jinyithu@google.com>
Date: Mon, 22 Jan 2018 14:00:46 -0800
Subject: [PATCH] Selinux permissions for incidentd project

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3
---
 private/compat/26.0/26.0.cil        |  5 ++++-
 private/compat/26.0/26.0.ignore.cil |  2 ++
 private/file_contexts               |  1 +
 private/genfs_contexts              |  1 +
 private/incident.te                 |  2 ++
 private/incident_helper.te          | 13 ++++++++++++
 private/incidentd.te                | 33 +++++++++++++++++++----------
 private/system_server.te            |  1 +
 public/file.te                      |  1 +
 public/incident_helper.te           |  5 +++++
 10 files changed, 52 insertions(+), 12 deletions(-)
 create mode 100644 private/incident_helper.te
 create mode 100644 public/incident_helper.te

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index d44fd7ad7..9d173bed2 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -123,7 +123,10 @@
 (typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
 (typeattributeset dalvik_prop_26_0 (dalvik_prop))
 (typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_26_0
+  ( debugfs
+    debugfs_wakeup_sources
+  ))
 (typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
 (typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
 (typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7bab01214..f6889aec7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -42,6 +42,8 @@
     hal_tetheroffload_hwservice
     hal_usb_gadget_hwservice
     hal_wifi_offload_hwservice
+    incident_helper
+    incident_helper_exec
     kmsg_debug_device
     last_boot_reason_prop
     mediaprovider_tmpfs
diff --git a/private/file_contexts b/private/file_contexts
index 211394525..9083b0cdd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -207,6 +207,7 @@
 /system/bin/dumpstate   u:object_r:dumpstate_exec:s0
 /system/bin/incident   u:object_r:incident_exec:s0
 /system/bin/incidentd   u:object_r:incidentd_exec:s0
+/system/bin/incident_helper  u:object_r:incident_helper_exec:s0
 /system/bin/netutils-wrapper-1\.0    u:object_r:netutils_wrapper_exec:s0
 /system/bin/vold	u:object_r:vold_exec:s0
 /system/bin/netd	u:object_r:netd_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2ff1b4d9b..76f5bdda1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -128,6 +128,7 @@ genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tr
 genfscon tracefs /instances/wifi                      u:object_r:debugfs_wifi_tracing:s0
 genfscon debugfs /tracing/trace_marker                u:object_r:debugfs_trace_marker:s0
 genfscon tracefs /trace_marker                        u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources                      u:object_r:debugfs_wakeup_sources:s0
 
 genfscon debugfs /tracing/events/sync/enable                         u:object_r:debugfs_tracing_debug:s0
 genfscon debugfs /tracing/events/workqueue/enable                    u:object_r:debugfs_tracing_debug:s0
diff --git a/private/incident.te b/private/incident.te
index b910ddef3..203881657 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -23,3 +23,5 @@ allow incident incident_service:service_manager find;
 binder_call(incident, incidentd)
 allow incident incidentd:fifo_file write;
 
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
new file mode 100644
index 000000000..e9bb51180
--- /dev/null
+++ b/private/incident_helper.te
@@ -0,0 +1,13 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 5810d9a09..b88526347 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,21 +1,16 @@
 typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
 
 init_daemon_domain(incidentd)
 type incidentd_exec, exec_type, file_type;
 binder_use(incidentd)
 wakelock_use(incidentd)
 
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
-
 # Allow incidentd to scan through /proc/pid for all processes
 r_dir_file(incidentd, domain)
 
-allow incidentd self:global_capability_class_set {
-    # Send signals to processes
-    kill
-};
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
 
 # Allow executing files on system, such as:
 #   /system/bin/toolbox
@@ -24,6 +19,22 @@ allow incidentd self:global_capability_class_set {
 allow incidentd system_file:file execute_no_trans;
 allow incidentd toolbox_exec:file rx_file_perms;
 
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
 # Create and write into /data/misc/incidents
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
@@ -33,7 +44,7 @@ allow incidentd incident_data_file:file create_file_perms;
 
 # Signal java processes to dump their stack and get the results
 # TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:dir create_dir_perms;
 # TODO allow incidentd anr_data_file:file create_file_perms;
 
 # Signal native processes to dump their stack.
@@ -52,7 +63,7 @@ allow incidentd {
 }:process signal;
 
 # Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, system_server)
 binder_call(incidentd, appdomain)
 
 # Reading /proc/PID/maps of other processes
@@ -62,7 +73,7 @@ binder_call(incidentd, appdomain)
 allow incidentd shell_exec:file rx_file_perms;
 
 # logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
+userdebug_or_eng(`read_logd(incidentd)')
 # TODO control_logd(incidentd)
 
 # Allow incidentd to find these standard groups of services.
diff --git a/private/system_server.te b/private/system_server.te
index 2054d9916..035e8f158 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -135,6 +135,7 @@ allow system_server proc_sysrq:file rw_file_perms;
 
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
 
 # The DhcpClient and WifiWatchdog use packet_sockets
 allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/public/file.te b/public/file.te
index 13176972b..c6b2a79d2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -112,6 +112,7 @@ type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
 type debugfs_wifi_tracing, fs_type, debugfs_type;
 
 type pstorefs, fs_type;
diff --git a/public/incident_helper.te b/public/incident_helper.te
new file mode 100644
index 000000000..bca101869
--- /dev/null
+++ b/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
-- 
GitLab