Add ramoops decryption
Bug: 37554629
Bug: 37553996
Test: Walleye/Taimen able to decrypt ramoops
Change-Id: I834460a0d8dc878aef511ebac47335eb30e53980
diff --git a/device.mk b/device.mk
index 30bf66a..64629b6 100755
--- a/device.mk
+++ b/device.mk
@@ -66,7 +66,8 @@
$(LOCAL_PATH)/uinput-fpc.idc:system/usr/idc/uinput-fpc.idc \
$(LOCAL_PATH)/init.qcom.devstart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.devstart.sh \
$(LOCAL_PATH)/init.qcom.ipastart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.ipastart.sh \
- $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh
+ $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh \
+ $(LOCAL_PATH)/init.ramoops.sh:$(TARGET_COPY_OUT_SYSTEM)/bin/init.ramoops.sh
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
PRODUCT_COPY_FILES += \
diff --git a/init.hardware.rc b/init.hardware.rc
index 3dae048..295e26f 100644
--- a/init.hardware.rc
+++ b/init.hardware.rc
@@ -226,6 +226,12 @@
# Wait qseecomd started
wait_for_prop sys.listeners.registered true
+on property:sys.user.0.ce_available=true
+ mkdir /data/misc_ce/0/ramoops
+ start ramoops_sh
+
+on property:sys.ramoops.decrypted=true
+ mount pstore pstore /sys/fs/pstore
on property:sys.listeners.registered=true
# load IPA FWs
@@ -459,6 +465,13 @@
# default country code
setprop ro.boot.wificountrycode 00
+ # Encrypted ramoops
+ umount /sys/fs/pstore
+ chmod 770 /dev/access-ramoops
+ chown system system /dev/access-ramoops
+ chmod 770 /dev/access-metadata
+ chown system system /dev/access-metadata
+
# Make the ftm4 command node writeable from dumpstate
chown system system /sys/devices/virtual/input/ftm4_touch/cmd
@@ -775,3 +788,11 @@
group root system
disabled
oneshot
+
+service ramoops_sh /system/bin/init.ramoops.sh
+ class main
+ user root
+ group root system
+ disabled
+ oneshot
+
diff --git a/init.ramoops.sh b/init.ramoops.sh
new file mode 100644
index 0000000..3457c21
--- /dev/null
+++ b/init.ramoops.sh
@@ -0,0 +1,20 @@
+#!/system/bin/sh
+
+# Decrypt the keys and write them to the kernel
+ramoops -D
+
+if [ $? -eq 0 ]; then
+ # Pivot (and decrypt) and remount pstore
+ echo 1 > /sys/devices/virtual/ramoops/pstore/use_alt
+ setprop sys.ramoops.decrypted true
+else
+ setprop sys.ramoops.decrypted Error-$?
+fi
+
+# Generate keys (if none exist), and load the keys to carveout
+if [[ $(getprop ro.hardware) == "walleye" ]]; then
+ ramoops -g -l -c
+else
+ ramoops -g -l
+fi
+
diff --git a/sepolicy/private/device.te b/sepolicy/private/device.te
new file mode 100644
index 0000000..ae7cadd
--- /dev/null
+++ b/sepolicy/private/device.te
@@ -0,0 +1 @@
+type ramoops_device, dev_type;
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 53de775..88cdca0 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -1,3 +1,8 @@
-/system/bin/folio_daemon u:object_r:folio_daemon_exec:s0
-/data/misc/elabel(/.*)? u:object_r:elabel_data_file:s0
-/system/bin/init\.elabel\.sh u:object_r:init_elabel_exec:s0
+/system/bin/folio_daemon u:object_r:folio_daemon_exec:s0
+/data/misc/elabel(/.*)? u:object_r:elabel_data_file:s0
+/system/bin/init\.elabel\.sh u:object_r:init_elabel_exec:s0
+/system/bin/ramoops u:object_r:ramoops_exec:s0
+/system/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0
+/dev/access-metadata u:object_r:ramoops_device:s0
+/dev/access-ramoops u:object_r:ramoops_device:s0
+/data/misc_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_data_file:s0
diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts
new file mode 100644
index 0000000..9c5764a
--- /dev/null
+++ b/sepolicy/private/genfs_contexts
@@ -0,0 +1,4 @@
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_iv u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_tag u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/use_alt u:object_r:sysfs_pstore:s0
diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te
new file mode 100644
index 0000000..cc8bd9c
--- /dev/null
+++ b/sepolicy/private/property.te
@@ -0,0 +1 @@
+type ramoops_prop, property_type;
diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts
new file mode 100644
index 0000000..3a5384c
--- /dev/null
+++ b/sepolicy/private/property_contexts
@@ -0,0 +1 @@
+sys.ramoops.decrypted u:object_r:ramoops_prop:s0
diff --git a/sepolicy/private/ramoops.te b/sepolicy/private/ramoops.te
new file mode 100644
index 0000000..57161d9
--- /dev/null
+++ b/sepolicy/private/ramoops.te
@@ -0,0 +1,20 @@
+type ramoops, domain, coredomain;
+type ramoops_data_file, file_type, data_file_type;
+type ramoops_exec, exec_type, file_type;
+
+init_daemon_domain(ramoops);
+
+# kmod=crypto-gcm(aes)
+dontaudit ramoops kernel:system module_request;
+
+allow ramoops ramoops_exec:file rx_file_perms;
+allow ramoops shell_exec:file rx_file_perms;
+allow ramoops toolbox_exec:file rx_file_perms;
+
+# Set the sys.ramoops.decrypted property
+set_prop(ramoops, ramoops_prop);
+
+allow ramoops sysfs_pstore:file rw_file_perms;
+allow ramoops ramoops_device:chr_file rw_file_perms;
+allow ramoops ramoops_data_file:file create_file_perms;
+allow ramoops ramoops_data_file:dir rw_dir_perms;
diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te
index cc8ee0a..ad98df7 100644
--- a/sepolicy/public/file.te
+++ b/sepolicy/public/file.te
@@ -1 +1,2 @@
type elabel_data_file, file_type, data_file_type;
+type sysfs_pstore, sysfs_type, fs_type;
