subsystem_ramdump: Fix avc denials - Add neccesary sepolicy rules - Remove dontaudit avc: denied { open } for comm="subsystem_ramdu" path="/dev" dev="tmpfs" ino=20712 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=1 avc: denied { read } for comm="subsystem_ramdu" name="ramdump_md_a615_zap" dev="tmpfs" ino=12399 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:ramdump_device:s0 tclass=chr_file permissive=1 avc: denied { getattr } for comm="subsystem_ramdu" path="/data/vendor/ssrdump" dev="dm-0" ino=213 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:ramdump_vendor_data_file:s0 tclass=dir permissive=1 avc: denied { search } for comm="subsystem_ramdu" name="msm_subsys" dev="sysfs" ino=23528 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 avc: denied { read } for comm="subsystem_ramdu" name="devices" dev="sysfs" ino=23530 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir permissive=1 avc: denied { write } for name="property_service" dev="tmpfs" ino=21046 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 avc: denied { open } for comm="subsystem_ramdu" path="/sys/module/subsystem_restart/parameters/enable_ramdumps" dev="sysfs" ino=34872 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 avc: denied { read } for comm="subsystem_ramdu" name="name" dev="sysfs" ino=50560 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:sysfs_ssr:s0 tclass=file permissive=1 avc: denied { search } for comm="subsystem_ramdu" name="ssrlog" dev="dm-0" ino=214 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:ssr_log_file:s0 tclass=dir permissive=1 avc: denied { append } for comm="subsystem_ramdu" name="ssr_log.txt" dev="dm-0" ino=7548 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:ssr_log_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="subsystem_ramdu" path="/sys/devices/platform/soc/4080000.qcom,mss/subsys2/crash_reason" dev="sysfs" ino=50290 scontext=u:r:vendor_subsystem_ramdump:s0 tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file permissive=1 Bug: 144547953 Test: No related avc denial found Change-Id: I8e75e340bd7a5133f2afcdca0f79704055f4c4e9

commit: c523f1f2acc86ab5ebceb8facc7aad7e018c0fc7 [log] [tgz]
author: SalmaxChang <salmaxchang@google.com> Fri Nov 22 18:46:45 2019 +0800
committer: SalmaxChang <salmaxchang@google.com> Tue Nov 26 15:56:17 2019 +0800
tree: d65468b3b02ae033f5997671555cf6862b3d8f82
parent: 9ab47ceda04f803ee27c0b6f12c3ce6f2f4ac043 [diff]
diff --git a/vendor/google/vendor_subsystem_ramdump.te b/vendor/google/vendor_subsystem_ramdump.te
deleted file mode 100644
index a9d5702..0000000
--- a/vendor/google/vendor_subsystem_ramdump.te
+++ /dev/null

@@ -1,8 +0,0 @@
-dontaudit vendor_subsystem_ramdump device:dir { open read };
-dontaudit vendor_subsystem_ramdump ramdump_device:chr_file { open read };
-dontaudit vendor_subsystem_ramdump ramdump_vendor_data_file:dir { getattr open read };
-dontaudit vendor_subsystem_ramdump sysfs_esoc:dir { open read search };
-dontaudit vendor_subsystem_ramdump sysfs:file { open read };
-dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:dir { open read search };
-dontaudit vendor_subsystem_ramdump sysfs_msm_subsys:file getattr;
-dontaudit vendor_subsystem_ramdump sysfs_ssr:file { open read };

diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts
index 667062e..5adfed2 100644
--- a/vendor/qcom/common/genfs_contexts
+++ b/vendor/qcom/common/genfs_contexts

@@ -27,3 +27,4 @@
 genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000                                                                          u:object_r:sysfs_data:s0
 genfscon sysfs /devices/virtual/xt_hardidletimer/timers                                                                                u:object_r:sysfs_data:s0
 genfscon sysfs /devices/virtual/xt_idletimer/timers                                                                                    u:object_r:sysfs_data:s0
+genfscon sysfs /module/subsystem_restart/parameters/enable_ramdumps                                                                    u:object_r:sysfs_ssr:s0

diff --git a/vendor/qcom/common/subsystem_ramdump.te b/vendor/qcom/common/subsystem_ramdump.te
index 8f9b6b1..74bb35a 100644
--- a/vendor/qcom/common/subsystem_ramdump.te
+++ b/vendor/qcom/common/subsystem_ramdump.te

@@ -1,3 +1,23 @@
 type vendor_subsystem_ramdump, domain;
 type vendor_subsystem_ramdump_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_subsystem_ramdump);
+
+userdebug_or_eng(`
+  allow vendor_subsystem_ramdump proc_sysrq:file w_file_perms;
+  allow vendor_subsystem_ramdump device:dir r_dir_perms;
+
+  allow vendor_subsystem_ramdump ramdump_device:chr_file r_file_perms;
+
+  allow vendor_subsystem_ramdump ramdump_vendor_data_file:file create_file_perms;
+  allow vendor_subsystem_ramdump ramdump_vendor_data_file:dir rw_dir_perms;
+
+  r_dir_file(vendor_subsystem_ramdump, sysfs_msm_subsys)
+
+  allow vendor_subsystem_ramdump sysfs_ssr:file r_file_perms;
+
+  allow vendor_subsystem_ramdump ssr_log_file:dir rw_dir_perms;
+  allow vendor_subsystem_ramdump ssr_log_file:file create_file_perms;
+
+  set_prop(vendor_subsystem_ramdump, vendor_ssr_prop);
+  get_prop(vendor_subsystem_ramdump, vendor_ramdump_prop);
+')
commit	c523f1f2acc86ab5ebceb8facc7aad7e018c0fc7	[log] [tgz]
author	SalmaxChang <salmaxchang@google.com>	Fri Nov 22 18:46:45 2019 +0800
committer	SalmaxChang <salmaxchang@google.com>	Tue Nov 26 15:56:17 2019 +0800
tree	d65468b3b02ae033f5997671555cf6862b3d8f82
parent	9ab47ceda04f803ee27c0b6f12c3ce6f2f4ac043 [diff]