Allow dumpstate to query Citadel info
Before this CL, the CTS fails when gathering
citadel info. Once have this is useful Citadel
information appears in dumpstate_board.txt
In previous design, we were running --id and --selftest,
but these might be used to identify the specific
citadel chip, so we only run it on userdebug and
eng build.
Currently, we allow gathering citadel's firmware version,
uptime stats, and MB type in all bug reports
which cannot be used to identify a specific phone,
it's safe to run in shipping rom.
Log:
avc: denied { find } for pid=15720 uid=1000 name=android.hardware.citadel.ICitadeld scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:citadeld_service:s0 tclass=service_manager permissive=1
avc: denied { read } for name="vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { write } for name="vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/vndbinder" dev="tmpfs" ino=16373 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/vndbinder" dev="tmpfs" ino=16373 ioctlcmd=0x6209 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:object_r:vndbinder_device:s0 tclass=chr_file permissive=1
avc: denied { call } for scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:vndservicemanager:s0 tclass=binder permissive=1
Bug: 150648303
Test: run cts -m CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testNoBugreportDenials
Signed-off-by: Syuan Yang <syuanyang@google.com>
Change-Id: I97962010809843fdb88deb4849acf96e0cf16c27
Merged-In: I97962010809843fdb88deb4849acf96e0cf16c27
(cherry picked from commit 75a03ae7817580a4586facbb1a78bbc879842574)
diff --git a/vendor/qcom/common/hal_dumpstate_impl.te b/vendor/qcom/common/hal_dumpstate_impl.te
index e2e7c65..213a6ca 100644
--- a/vendor/qcom/common/hal_dumpstate_impl.te
+++ b/vendor/qcom/common/hal_dumpstate_impl.te
@@ -127,20 +127,16 @@
allow hal_dumpstate_impl debugfs_pmic_votable:dir r_dir_perms;
allow hal_dumpstate_impl debugfs_pmic_votable:file r_file_perms;
-userdebug_or_eng(`
- # Citadel communication must be via citadeld
- vndbinder_use(hal_dumpstate_impl)
- binder_call(hal_dumpstate_impl, citadeld)
- allow hal_dumpstate_impl citadeld_service:service_manager find;
-')
+# Citadel communication must be via citadeld
+vndbinder_use(hal_dumpstate_impl)
+binder_call(hal_dumpstate_impl, citadeld)
+allow hal_dumpstate_impl citadeld_service:service_manager find;
# Vibrator
r_dir_file(hal_dumpstate_impl, sysfs_leds)
dontaudit hal_dumpstate_impl sensors_vendor_data_file:dir r_dir_perms;
dontaudit hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms;
-dontaudit hal_dumpstate_impl binder_device:chr_file rw_file_perms;
-dontaudit hal_dumpstate_impl vndbinder_device:chr_file rw_file_perms;
# Access to vendor logging property
set_prop(hal_dumpstate_impl, vendor_logging_prop)
