From 62abd5daf8301fcefef0d60063babfa45b866dd3 Mon Sep 17 00:00:00 2001
From: jonerlin <jonerlin@google.com>
Date: Wed, 23 Oct 2024 14:44:06 +0000
Subject: [PATCH] add sepolicy rules for bluetooth common hal dumpstate

10-27 07:29:30.836000  1000  7403  7403 I auditd  : type=1400 audit(0.0:1002): avc:  denied  { search } for  comm="dump_bt" name="radio" dev="dm-52" ino=378 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I dump_bt : type=1400 audit(0.0:1002): avc:  denied  { search } for  name="radio" dev="dm-52" ino=378 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I auditd  : type=1400 audit(0.0:1003): avc:  denied  { write } for  comm="dump_bt" name="all_logs" dev="dm-52" ino=15632 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I dump_bt : type=1400 audit(0.0:1003): avc:  denied  { write } for  name="all_logs" dev="dm-52" ino=15632 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I auditd  : type=1400 audit(0.0:1004): avc:  denied  { add_name } for  comm="dump_bt" name="bt" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I dump_bt : type=1400 audit(0.0:1004): avc:  denied  { add_name } for  name="bt" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I auditd  : type=1400 audit(0.0:1005): avc:  denied  { create } for  comm="dump_bt" name="bt" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I dump_bt : type=1400 audit(0.0:1005): avc:  denied  { create } for  name="bt" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I auditd  : type=1400 audit(0.0:1006): avc:  denied  { read } for  comm="dump_bt" name="bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 07:29:30.836000  1000  7403  7403 I dump_bt : type=1400 audit(0.0:1006): avc:  denied  { read } for  name="bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I auditd  : type=1400 audit(0.0:1005): avc:  denied  { open } for  comm="dump_bt" path="/data/vendor/bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I dump_bt : type=1400 audit(0.0:1005): avc:  denied  { open } for  path="/data/vendor/bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I auditd  : type=1400 audit(0.0:1006): avc:  denied  { read } for  comm="dump_bt" name="bt" dev="dm-52" ino=16645 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I dump_bt : type=1400 audit(0.0:1006): avc:  denied  { read } for  name="bt" dev="dm-52" ino=16645 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I auditd  : type=1400 audit(0.0:1007): avc:  denied  { search } for  comm="dump_bt" name="bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I dump_bt : type=1400 audit(0.0:1007): avc:  denied  { search } for  name="bluetooth" dev="dm-52" ino=405 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-27 11:02:17.568000  1000  7510  7510 I auditd  : type=1400 audit(0.0:1008): avc:  denied  { read } for  comm="dump_bt" name="btsnoop_hci_vnd.log.last" dev="dm-52" ino=15209 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 11:02:17.568000  1000  7510  7510 I dump_bt : type=1400 audit(0.0:1008): avc:  denied  { read } for  name="btsnoop_hci_vnd.log.last" dev="dm-52" ino=15209 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 11:02:17.568000  1000  7510  7510 I auditd  : type=1400 audit(0.0:1009): avc:  denied  { open } for  comm="dump_bt" path="/data/vendor/bluetooth/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15209 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 11:02:17.568000  1000  7510  7510 I dump_bt : type=1400 audit(0.0:1009): avc:  denied  { open } for  path="/data/vendor/bluetooth/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15209 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I auditd  : type=1400 audit(0.0:1015): avc:  denied  { create } for  comm="dump_bt" name="btsnoop_hci_vnd.log.last" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I dump_bt : type=1400 audit(0.0:1015): avc:  denied  { create } for  name="btsnoop_hci_vnd.log.last" scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I auditd  : type=1400 audit(0.0:1016): avc:  denied  { write open } for  comm="dump_bt" path="/data/vendor/radio/logs/always-on/all_logs/bt/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15548 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I dump_bt : type=1400 audit(0.0:1016): avc:  denied  { write open } for  path="/data/vendor/radio/logs/always-on/all_logs/bt/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15548 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I auditd  : type=1400 audit(0.0:1017): avc:  denied  { getattr } for  comm="dump_bt" path="/data/vendor/bluetooth/btsnoop_hci_vnd.log.last" dev="dm-52" ino=11478 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I dump_bt : type=1400 audit(0.0:1017): avc:  denied  { getattr } for  path="/data/vendor/bluetooth/btsnoop_hci_vnd.log.last" dev="dm-52" ino=11478 scontext=u:r:dump_bt:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I auditd  : type=1400 audit(0.0:1018): avc:  denied  { getattr } for  comm="dump_bt" path="/data/vendor/radio/logs/always-on/all_logs/bt/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15548 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:41.980000  1000  7526  7526 I dump_bt : type=1400 audit(0.0:1018): avc:  denied  { getattr } for  path="/data/vendor/radio/logs/always-on/all_logs/bt/btsnoop_hci_vnd.log.last" dev="dm-52" ino=15548 scontext=u:r:dump_bt:s0 tcontext=u:object_r:radio_vendor_data_file:s0 tclass=file permissive=1
10-27 21:03:42.000000  1000  7526  7526 I auditd  : type=1400 audit(0.0:1019): avc:  denied  { search } for  comm="dump_bt" name="ssrdump" dev="dm-52" ino=425 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=1
10-27 21:03:42.000000  1000  7526  7526 I dump_bt : type=1400 audit(0.0:1019): avc:  denied  { search } for  name="ssrdump" dev="dm-52" ino=425 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I auditd  : type=1400 audit(0.0:1062): avc:  denied  { read } for  comm="dump_bt" name="coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I dump_bt : type=1400 audit(0.0:1062): avc:  denied  { read } for  name="coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I auditd  : type=1400 audit(0.0:1063): avc:  denied  { open } for  comm="dump_bt" path="/data/vendor/ssrdump/coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I dump_bt : type=1400 audit(0.0:1063): avc:  denied  { open } for  path="/data/vendor/ssrdump/coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I auditd  : type=1400 audit(0.0:1064): avc:  denied  { search } for  comm="dump_bt" name="coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I dump_bt : type=1400 audit(0.0:1064): avc:  denied  { search } for  name="coredump" dev="dm-52" ino=426 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=1
10-28 00:05:09.220000  1000  8227  8227 I auditd  : type=1400 audit(0.0:1065): avc:  denied  { read } for  comm="dump_bt" name="coredump_bt_socdump_2024-10-28_00-04-17.bin" dev="dm-52" ino=15913 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-28 00:05:09.220000  1000  8227  8227 I dump_bt : type=1400 audit(0.0:1065): avc:  denied  { read } for  name="coredump_bt_socdump_2024-10-28_00-04-17.bin" dev="dm-52" ino=15913 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-28 00:05:09.220000  1000  8227  8227 I auditd  : type=1400 audit(0.0:1066): avc:  denied  { open } for  comm="dump_bt" path="/data/vendor/ssrdump/coredump/coredump_bt_socdump_2024-10-28_00-04-17.bin" dev="dm-52" ino=15913 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-28 00:05:09.220000  1000  8227  8227 I dump_bt : type=1400 audit(0.0:1066): avc:  denied  { open } for  path="/data/vendor/ssrdump/coredump/coredump_bt_socdump_2024-10-28_00-04-17.bin" dev="dm-52" ino=15913 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-28 07:01:56.708000  1000  7681  7681 I auditd  : type=1400 audit(0.0:1019): avc:  denied  { getattr } for  comm="dump_bt" path="/data/vendor/ssrdump/coredump/coredump_bt_socdump_2024-10-28_07-01-11.bin" dev="dm-52" ino=16414 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-28 07:01:56.708000  1000  7681  7681 I dump_bt : type=1400 audit(0.0:1019): avc:  denied  { getattr } for  path="/data/vendor/ssrdump/coredump/coredump_bt_socdump_2024-10-28_07-01-11.bin" dev="dm-52" ino=16414 scontext=u:r:dump_bt:s0 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=file permissive=1
10-24 09:58:37.780000  1000  7820  7820 I auditd  : type=1400 audit(0.0:985): avc:  denied  { read } for  comm="dump_bt" name="bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I dump_bt : type=1400 audit(0.0:985): avc:  denied  { read } for  name="bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I auditd  : type=1400 audit(0.0:986): avc:  denied  { open } for  comm="dump_bt" path="/data/vendor/bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I dump_bt : type=1400 audit(0.0:986): avc:  denied  { open } for  path="/data/vendor/bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I auditd  : type=1400 audit(0.0:987): avc:  denied  { search } for  comm="dump_bt" name="bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I dump_bt : type=1400 audit(0.0:987): avc:  denied  { search } for  name="bluetooth" dev="dm-51" ino=405 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=dir permissive=1
10-24 09:58:37.780000  1000  7820  7820 I auditd  : type=1400 audit(0.0:988): avc:  denied  { read } for  comm="dump_bt" name="btsnoop_hci_vnd.log.last" dev="dm-51" ino=15291 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1
10-24 09:58:37.780000  1000  7820  7820 I dump_bt : type=1400 audit(0.0:988): avc:  denied  { read } for  name="btsnoop_hci_vnd.log.last" dev="dm-51" ino=15291 scontext=u:r:hal_dumpstate_default:s0 tcontext=u:object_r:vendor_bt_data_file:s0 tclass=file permissive=1

Bug: 373526518
Bug: 372146292
Test: build pass, get bugreport and check bt dumpstate log files
Flag: EXEMPT, mechanical change.
Change-Id: I65025ffdac1c3017c494ae2a9fe8deeb5c7ce970
---
 bluetooth/dump/dumplog.mk             |  2 ++
 bluetooth/dump/sepolicy/dump.te       | 12 ++++++++++++
 bluetooth/dump/sepolicy/file_contexts |  2 ++
 3 files changed, 16 insertions(+)
 create mode 100644 bluetooth/dump/sepolicy/dump.te
 create mode 100644 bluetooth/dump/sepolicy/file_contexts

diff --git a/bluetooth/dump/dumplog.mk b/bluetooth/dump/dumplog.mk
index d47d4ec..51c3b3c 100644
--- a/bluetooth/dump/dumplog.mk
+++ b/bluetooth/dump/dumplog.mk
@@ -1 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bluetooth/dump/sepolicy/
+
 PRODUCT_PACKAGES_DEBUG += dump_bt
diff --git a/bluetooth/dump/sepolicy/dump.te b/bluetooth/dump/sepolicy/dump.te
new file mode 100644
index 0000000..fdd123e
--- /dev/null
+++ b/bluetooth/dump/sepolicy/dump.te
@@ -0,0 +1,12 @@
+# pixel bluetooth common hal service
+pixel_bugreport(dump_bt)
+
+allow hal_dumpstate_default vendor_bt_data_file:dir { open read search };
+allow hal_dumpstate_default vendor_bt_data_file:file read;
+allow dump_bt radio_vendor_data_file:dir create_dir_perms;
+allow dump_bt radio_vendor_data_file:file create_file_perms;
+allow dump_bt vendor_bt_data_file:dir r_dir_perms;
+allow dump_bt vendor_bt_data_file:file r_file_perms;
+allow dump_bt sscoredump_vendor_data_crashinfo_file:dir search;
+allow dump_bt sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+allow dump_bt sscoredump_vendor_data_coredump_file:file r_file_perms;
diff --git a/bluetooth/dump/sepolicy/file_contexts b/bluetooth/dump/sepolicy/file_contexts
new file mode 100644
index 0000000..da28d10
--- /dev/null
+++ b/bluetooth/dump/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+# bt common hal dump_bt service
+/vendor/bin/dump/dump_bt           u:object_r:dump_bt_exec:s0