initial dumpstate domain
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.
Dumpstate is triggered by running "adb bugreport"
Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
diff --git a/app.te b/app.te
index 34f99e6..f3a083c 100644
--- a/app.te
+++ b/app.te
@@ -68,6 +68,10 @@
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/binderservicedomain.te b/binderservicedomain.te
new file mode 100644
index 0000000..a67d585
--- /dev/null
+++ b/binderservicedomain.te
@@ -0,0 +1,5 @@
+# Rules common to all binder service domains
+
+# Alow dumpstate to collect information from binder services
+allow binderservicedomain dumpstate:fd use;
+allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
diff --git a/dumpstate.te b/dumpstate.te
new file mode 100644
index 0000000..8c27273
--- /dev/null
+++ b/dumpstate.te
@@ -0,0 +1,70 @@
+# dumpstate
+type dumpstate, domain;
+permissive dumpstate;
+type dumpstate_exec, exec_type, file_type;
+
+init_daemon_domain(dumpstate)
+net_domain(dumpstate)
+relabelto_domain(dumpstate)
+binder_use(dumpstate)
+
+# Drop privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+# Send signals to processes
+allow dumpstate self:capability kill;
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+
+# Create and write into /data/anr/
+allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
+allow dumpstate anr_data_file:file create_file_perms;
+allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Read dmesg
+allow dumpstate self:capability2 syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in dumpstate/utils.c
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+
+# The /system/bin/ip command needs this for routing table information.
+allow dumpstate self:netlink_route_socket { write getattr setopt };
+
+# The vdc command needs to talk to the vold socket.
+unix_socket_connect(dumpstate, vold, vold)
+
+# Vibrate the device after we're done collecting the bugreport
+# /sys/class/timed_output/vibrator/enable
+# TODO: create a new file class, instead of allowing write access to all of /sys
+allow dumpstate sysfs:file w_file_perms;
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, appdomain)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:capability sys_ptrace;
diff --git a/file.te b/file.te
index d0f79ac..cb184e3 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,7 @@
type adbd_socket, file_type;
type bluetooth_socket, file_type;
type dnsproxyd_socket, file_type, mlstrustedobject;
+type dumpstate_socket, file_type;
type gps_socket, file_type;
type installd_socket, file_type;
type keystore_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 2587304..9df91cd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -77,6 +77,7 @@
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/bluetooth u:object_r:bluetooth_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/gps u:object_r:gps_socket:s0
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/keystore u:object_r:keystore_socket:s0
@@ -121,6 +122,7 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
diff --git a/healthd.te b/healthd.te
index 53e6e8e..9d23571 100644
--- a/healthd.te
+++ b/healthd.te
@@ -11,6 +11,7 @@
allow healthd self:capability2 block_suspend;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
+binder_service(healthd)
binder_call(healthd, system_server)
# Workaround for 0x10 / block_suspend capability2 denials.
diff --git a/su.te b/su.te
index dda7708..2a3d007 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,10 @@
type su_exec, exec_type, file_type;
domain_auto_trans(shell, su_exec, su)
+# Allow dumpstate to call su on userdebug / eng builds to collect
+# additional information.
+domain_auto_trans(dumpstate, su_exec, su)
+
# su is unconfined.
unconfined_domain(su)