ramdump/ramdump_app: SE policies to implement and access ramdumpfs
(The avc denied logs attached at b/153840597#comment2 are reproduced on
flame. However the implementation (ag/11030564) made these accesses are
shared between Pixel series (except Pixel 1 & 2).)
Bug: 153840597
Change-Id: I2473acca07437458ce8f1e234ada850729d4535d
Merged-In: I2473acca07437458ce8f1e234ada850729d4535d
diff --git a/vendor/google/file.te b/vendor/google/file.te
index 7a7d931..ae65f49 100644
--- a/vendor/google/file.te
+++ b/vendor/google/file.te
@@ -5,3 +5,6 @@
type sysfs_pixelstats, sysfs_type, fs_type;
type persist_battery_file, file_type;
type sysfs_chargelevel, sysfs_type, fs_type;
+
+# RamdumpFS
+allow ramdump_vendor_mnt_file self:filesystem associate;
diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te
index 642ead6..d44f079 100644
--- a/vendor/qcom/common/file.te
+++ b/vendor/qcom/common/file.te
@@ -93,6 +93,7 @@
type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject;
type wifidump_vendor_data_file, file_type, data_file_type;
type modem_dump_file, file_type, data_file_type;
type sensors_vendor_data_file, file_type, data_file_type;
@@ -110,6 +111,7 @@
type vendor_tui_data_file, file_type, data_file_type;
type wifi_vendor_log_data_file, file_type, data_file_type;
+
type hal_neuralnetworks_data_file, file_type, data_file_type;
type modem_stat_data_file, file_type, data_file_type;
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index 60d19c5..b273044 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -76,6 +76,12 @@
# Block devices for the drive that holds the xbl_a and xbl_b partitions.
/dev/block/sd[bc]1? u:object_r:xbl_block_device:s0
+###################################
+# ramdumpfs files
+#
+/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
+/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0
+
# Block device for hal_bootctl
/dev/block/sde u:object_r:boot_block_device:s0
diff --git a/vendor/qcom/common/ramdump.te b/vendor/qcom/common/ramdump.te
index 5748f95..7b2e786 100644
--- a/vendor/qcom/common/ramdump.te
+++ b/vendor/qcom/common/ramdump.te
@@ -34,4 +34,11 @@
get_prop(ramdump, hwservicemanager_prop)
allow ramdump fwk_stats_hwservice:hwservice_manager find;
binder_call(ramdump, stats_service_server)
+
+ # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump.
+ allow ramdump fuse:filesystem relabelfrom;
+ allow ramdump fuse_device:chr_file rw_file_perms;
+ allow ramdump mnt_vendor_file:dir r_dir_perms;
+ allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton };
+ allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto };
')
diff --git a/vendor/qcom/common/ramdump_app.te b/vendor/qcom/common/ramdump_app.te
index 49d15dc..38cf2f4 100644
--- a/vendor/qcom/common/ramdump_app.te
+++ b/vendor/qcom/common/ramdump_app.te
@@ -13,4 +13,9 @@
set_prop(ramdump_app, vendor_ramdump_prop);
get_prop(system_app, vendor_ssr_prop)
get_prop(ramdump_app, system_boot_reason_prop)
+
+ # To access ramdumpfs.
+ allow ramdump_app mnt_vendor_file:dir search;
+ allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
+ allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
')
