Address bug report denials.
Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.
Two bugs here:
1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.
2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.
Addresses the following denials:
<5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
diff --git a/app.te b/app.te
index 1ee3075..b670169 100644
--- a/app.te
+++ b/app.te
@@ -78,6 +78,7 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
@@ -321,7 +322,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -shell -unconfineddomain }
shell_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+ { create setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -bluetooth -unconfineddomain }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/binderservicedomain.te b/binderservicedomain.te
index cf2943d..5990301 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
# Allow dumpstate to collect information from binder services
allow binderservicedomain dumpstate:fd use;
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell
allow binderservicedomain devpts:chr_file rw_file_perms;
diff --git a/media_app.te b/media_app.te
index 830cbd5..65f3863 100644
--- a/media_app.te
+++ b/media_app.te
@@ -5,6 +5,7 @@
type media_app, domain;
app_domain(media_app)
platform_app_domain(media_app)
+binder_service(media_app)
# Access the network.
net_domain(media_app)
# Access /dev/mtp_usb.
diff --git a/nfc.te b/nfc.te
index 9a354bb..ca7a89d 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
# nfc subsystem
type nfc, domain;
app_domain(nfc)
+binder_service(nfc)
# NFC device access.
allow nfc nfc_device:chr_file rw_file_perms;
diff --git a/radio.te b/radio.te
index a119d75..d5bf42b 100644
--- a/radio.te
+++ b/radio.te
@@ -3,6 +3,7 @@
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
+binder_service(radio)
# Talks to init via the property socket.
unix_socket_connect(radio, property, init)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index edbe22f..24c20eb 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -43,7 +43,6 @@
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
-allow surfaceflinger shell_data_file:file write;
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
diff --git a/system_app.te b/system_app.te
index 41e446b..a80cc45 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
type system_app, domain;
permissive_or_unconfined(system_app)
app_domain(system_app)
+binder_service(system_app)
# Perform binder IPC to any app domain.
binder_call(system_app, appdomain)