Allow dumpstate to query Citadel info
Before this CL, the CTS fails when gathering
citadel info. Once have this is useful Citadel
information appears in dumpstate_board.txt
In previous design, we were running --id and --selftest,
but these might be used to identify the specific
citadel chip, so we only run it on userdebug and
eng build.
Currently, we allow gathering citadel's firmware version,
uptime stats, and MB type in all bug reports
which cannot be used to identify a specific phone,
it's safe to run in shipping rom.
Log:
avc: denied { find } for pid=15720 uid=1000 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1
avc: denied { read } for name="vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { write } for name="vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/vndbinder" dev="tmpfs" ino=16373 ioctlcmd=0x6209 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { call } for scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1
Bug: 150648303
Test: run cts -m CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Syuan Yang <syuanyang@google.com>
Change-Id: I39cb6a4f4e61763dce1c2a3156b08174da625071
Merged-In: I39cb6a4f4e61763dce1c2a3156b08174da625071
(cherry picked from commit 711075a64e358b873f930d424c3242a4be09dc07)
diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te
index 342fa31..18d9254 100644
--- a/vendor/qcom/common/hal_dumpstate_impl.te
+++ b/vendor/qcom/common/hal_dumpstate_impl.te
@@ -29,17 +29,18 @@
#Dump perfstatsd
allow hal_dumpstate_impl perfstatsd_exec:file rx_file_perms;
allow hal_dumpstate_impl perfstatsd_service:service_manager find;
- vndbinder_use(hal_dumpstate_impl)
binder_call(hal_dumpstate_impl, perfstatsd)
# Dump sensors log
allow hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms;
allow hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms;
-
- # Dump citadel info
- allow hal_dumpstate_impl citadeld_service:service_manager find;
- binder_call(hal_dumpstate_impl, citadeld)
')
+
+# Citadel communication must be via citadeld
+vndbinder_use(hal_dumpstate_impl)
+binder_call(hal_dumpstate_impl, citadeld)
+allow hal_dumpstate_impl citadeld_service:service_manager find;
+
allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms;
allow hal_dumpstate_impl modem_dump_file:file create_file_perms;
allow hal_dumpstate_impl radio_vendor_data_file:dir r_dir_perms;
@@ -164,5 +165,3 @@
dontaudit hal_dumpstate_impl perfstatsd_service:service_manager find;
dontaudit hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms;
dontaudit hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms;
-dontaudit hal_dumpstate_impl citadeld_service:service_manager find;
-dontaudit hal_dumpstate_impl citadeld:binder call;
