Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.
Bug: 73256908
Test: Captured bugreports and verified that there were no denials.
Merged-In: I753e9d98ee70d66dd1fec210fd05d09a0d20a44c
Change-Id: I753e9d98ee70d66dd1fec210fd05d09a0d20a44c
(cherry picked from commit 789dffd51199d255c63b2c9e7f439d01e1bc27bc)
diff --git a/sepolicy/dumpstate.te b/sepolicy/dumpstate.te
index fb34c53..8b9a564 100644
--- a/sepolicy/dumpstate.te
+++ b/sepolicy/dumpstate.te
@@ -2,3 +2,10 @@
#allow dumpstate smlog_dump_file:dir create_dir_perms;
#allow dumpstate smlog_dump_file:file create_file_perms;
')
+
+# For collecting bugreports.
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate sysfs_scsi_devices_other:file r_file_perms;
+allow dumpstate sysfs_devices_block_stat:file r_file_perms;
+allow dumpstate persist_file:dir getattr;
+dontaudit dumpstate kernel:system module_request;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index cfc92c7..3d7d750 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -36,6 +36,8 @@
type sysfs_video, sysfs_type, fs_type;
type sysfs_diag, fs_type, sysfs_type;
type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type sysfs_scsi_devices_other, sysfs_type, fs_type;
+type sysfs_devices_block_stat, sysfs_type, fs_type;
# b/70518189 vDSO experiments
type sysfs_vdso, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 198c7ee..3e67179 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -208,3 +208,5 @@
# b/70518189 vDSO experiments
/sys/module/vdso/parameters u:object_r:sysfs_vdso:s0
+
+/sys/devices/virtual/block/.*/stat u:object_r:sysfs_devices_block_stat:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index c741a90..73a078a 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -62,6 +62,11 @@
genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:sysfs_timestamp_switch:s0
genfscon sysfs /devices/soc/qpnp-smbcharger-16/power_supply/battery/system_temp_level u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:1 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:2 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:3 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:4 u:object_r:sysfs_scsi_devices_other:s0
+genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:5 u:object_r:sysfs_scsi_devices_other:s0
genfscon sysfs /devices/soc/624000.ufshc/health u:object_r:sysfs_scsi_devices_0000:s0
genfscon sysfs /module/diagchar u:object_r:sysfs_diag:s0
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
index 135506c..80e4ea5 100644
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -60,3 +60,6 @@
allow hal_dumpstate_impl sysfs_scsi_devices_0000:file r_file_perms;
allow hal_dumpstate_impl debugfs_ufs:dir r_dir_perms;
allow hal_dumpstate_impl debugfs_ufs:file r_file_perms;
+
+# For collecting bugreports.
+allow hal_dumpstate_impl shell_data_file:file getattr;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 6d22e19..3fdcfad 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -2,4 +2,5 @@
dontaudit vold proc_irq:dir read;
allow vold sysfs_scsi_devices_0000:file w_file_perms;
+allow vold sysfs_scsi_devices_other:file w_file_perms;
allow vold persist_file:dir r_dir_perms;
