commit 50e18002f8b96ddf5631e6b9b80c8da3455fda26
author Leon Jeng <leonjeng@google.com> Sat Jan 25 12:34:47 2020 +0800
committer Leon Jeng <leonjeng@google.com> Mon Feb 03 07:48:44 2020 +0000
tree faef8ceced6c8854c2f537dcb26aa2b953bd8e26
parent f488a8a5b4aedf2ec1429e442f866abec2dac529

Add generic sepolicy for SSRestartDetector.

The reasons for adding these policies are listed in
b/146477826#comment3

Please note that this commit is supposed to make the generic function
of SSRestartDector work.

We still need each subsystem owner's help to check each subsys-specific
functions in SSRestartDector. E.g. actions or data-collecting which
only happens when the crashing subsys is specific one - modem, bt,
wifi, gps, video, audio, sensor, etc.

Bug: 146477826

Test: Manually simulate modem crash using MDS utility, make sure there
is no ssr_detector_app selinux message.

Change-Id: I5038f27225c4e025d0870c2519c8aa9945214761

tracking_denials/ssr_detector_app.te

diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te
deleted file mode 100644
index 9e325bb..0000000
--- a/tracking_denials/ssr_detector_app.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# b/146477826
-dontaudit ssr_detector_app cgroup:file write;
-dontaudit ssr_detector_app ramdump_vendor_data_file:dir read;
-dontaudit ssr_detector_app system_app_data_file:dir { getattr search };

vendor/google/ssr_detector.te

diff --git a/vendor/google/ssr_detector.te b/vendor/google/ssr_detector.te
index 56c6657..92b0c10 100644
--- a/vendor/google/ssr_detector.te
+++ b/vendor/google/ssr_detector.te
@@ -4,3 +4,25 @@
 app_domain(ssr_detector_app)
 
 allow ssr_detector_app app_api_service:service_manager find;
+allow ssr_detector_app radio_service:service_manager find;
+
+userdebug_or_eng(`
+  allow ssr_detector_app ramdump_vendor_data_file:dir r_dir_perms;
+  allow ssr_detector_app ramdump_vendor_data_file:file r_file_perms;
+  get_prop(ssr_detector_app, vendor_ssr_prop)
+')
+
+get_prop(ssr_detector_app, vendor_wifi_version)
+get_prop(ssr_detector_app, public_vendor_system_prop)
+
+# ssr_detector app's data type is system_app_data_file.
+allow ssr_detector_app system_app_data_file:dir { getattr search };
+
+allow ssr_detector_app cgroup:file w_file_perms;
+
+allow ssr_detector_app sysfs:lnk_file r_file_perms;
+r_dir_file(ssr_detector_app, sysfs_msm_subsys)
+r_dir_file(ssr_detector_app, sysfs_ssr)
+
+allow ssr_detector_app sysfs_ssr_writable:file getattr;
+