From bce5748b4f77e28f982852673425bb2d84f7e850 Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Thu, 5 Sep 2024 14:55:14 +0800
Subject: [PATCH] storage: fix adb bugreport and refactor the existing rules

avc: denied { getattr } for comm="df" path="/mnt/vendor/persist" dev="sda15" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1
avc: denied { call } for comm="binder:10121_3" scontext=u:r:dumpstate:s0 tcontext=u:r:vold:s0 tclass=binder permissive=1
avc: denied { getattr } for comm="df" path="/mnt/vendor/efs" dev="sda5" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_efs_file:s0 tclass=dir permissive=1
avc: denied { getattr } for comm="df" path="/mnt/vendor/modem_userdata" dev="sda7" ino=3 scontext=u:r:dumpstate:s0 tcontext=u:object_r:modem_userdata_file:s0 tclass=dir permissive=1

Bug: 361093041
Test: local build
Change-Id: I5c6be63beebf66d64db7e495c28493ab35621054
Signed-off-by: Randall Huang <huangrandall@google.com>
---
 storage/sepolicy/dump_storage.te               | 6 ++++++
 storage/sepolicy/dumpstate.te                  | 8 +++++++-
 storage/sepolicy/e2fs.te                       | 1 +
 storage/sepolicy/fastbootd.te                  | 2 ++
 storage/sepolicy/file.te                       | 2 ++
 storage/sepolicy/fsck.te                       | 1 +
 storage/sepolicy/genfs_contexts                | 2 ++
 storage/sepolicy/hal_health_default.te         | 1 +
 storage/sepolicy/hal_health_storage_default.te | 1 +
 storage/sepolicy/hal_power_stats_default.te    | 1 +
 storage/sepolicy/init.te                       | 2 ++
 storage/sepolicy/vendor_init.te                | 2 ++
 storage/sepolicy/vold.te                       | 2 ++
 13 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/storage/sepolicy/dump_storage.te b/storage/sepolicy/dump_storage.te
index 5324c17..7a5f563 100644
--- a/storage/sepolicy/dump_storage.te
+++ b/storage/sepolicy/dump_storage.te
@@ -1,8 +1,11 @@
+# adb bugreport
 pixel_bugreport(dump_storage)
 
+# adb bugreport
 allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms;
 allow dump_storage sysfs_scsi_devices_0000:file r_file_perms;
 
+# adb bugreport
 userdebug_or_eng(`
   allow dump_storage debugfs_f2fs:dir r_dir_perms;
   allow dump_storage debugfs_f2fs:file r_file_perms;
@@ -17,7 +20,10 @@ userdebug_or_eng(`
   allow dump_storage dump_storage_data_file:file create_file_perms;
 ')
 
+# adb bugreport
 get_prop(dump_storage, boottime_public_prop)
 
+# adb bugreport
 dontaudit dump_storage debugfs_f2fs:dir r_dir_perms;
 dontaudit dump_storage debugfs_f2fs:file r_file_perms;
+
diff --git a/storage/sepolicy/dumpstate.te b/storage/sepolicy/dumpstate.te
index 2c01193..2220870 100644
--- a/storage/sepolicy/dumpstate.te
+++ b/storage/sepolicy/dumpstate.te
@@ -1 +1,7 @@
-allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
\ No newline at end of file
+# adb bugreport
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir { getattr };
+allow dumpstate modem_efs_file:dir { getattr };
+allow dumpstate modem_userdata_file:dir { getattr };
+allow dumpstate vold:binder { call };
+
diff --git a/storage/sepolicy/e2fs.te b/storage/sepolicy/e2fs.te
index 464b4ce..92ff839 100644
--- a/storage/sepolicy/e2fs.te
+++ b/storage/sepolicy/e2fs.te
@@ -7,3 +7,4 @@ allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_dev
 };
 allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
 allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/fastbootd.te b/storage/sepolicy/fastbootd.te
index 35bac15..e571d0b 100644
--- a/storage/sepolicy/fastbootd.te
+++ b/storage/sepolicy/fastbootd.te
@@ -1 +1,3 @@
+# fastbootd
 allow fastbootd devpts:chr_file rw_file_perms;
+
diff --git a/storage/sepolicy/file.te b/storage/sepolicy/file.te
index ed4f925..0fa9564 100644
--- a/storage/sepolicy/file.te
+++ b/storage/sepolicy/file.te
@@ -1,4 +1,6 @@
+# file.te
 type debugfs_f2fs, debugfs_type, fs_type;
 type dump_storage_data_file, file_type, data_file_type;
 type sg_device, dev_type;
 type sg_util_exec, exec_type, vendor_file_type, file_type;
+
diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te
index 88efb35..7369bb4 100644
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@@ -4,3 +4,4 @@ allow fsck efs_block_device:blk_file rw_file_perms;
 allow fsck modem_userdata_block_device:blk_file rw_file_perms;
 allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
 allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+
diff --git a/storage/sepolicy/genfs_contexts b/storage/sepolicy/genfs_contexts
index 1a27ec4..69baae6 100644
--- a/storage/sepolicy/genfs_contexts
+++ b/storage/sepolicy/genfs_contexts
@@ -1 +1,3 @@
+# f2fs
 genfscon debugfs /f2fs     u:object_r:debugfs_f2fs:s0
+
diff --git a/storage/sepolicy/hal_health_default.te b/storage/sepolicy/hal_health_default.te
index 58ec649..49bf50c 100644
--- a/storage/sepolicy/hal_health_default.te
+++ b/storage/sepolicy/hal_health_default.te
@@ -1,2 +1,3 @@
 # dumpsys android.hardware.power.stats.IPowerStats/default
 r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/hal_health_storage_default.te b/storage/sepolicy/hal_health_storage_default.te
index af6593a..20a3b7d 100644
--- a/storage/sepolicy/hal_health_storage_default.te
+++ b/storage/sepolicy/hal_health_storage_default.te
@@ -1,3 +1,4 @@
 # Access to /sys/devices/platform/*ufs/*
 allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
+
diff --git a/storage/sepolicy/hal_power_stats_default.te b/storage/sepolicy/hal_power_stats_default.te
index 4d4dda7..edd286c 100644
--- a/storage/sepolicy/hal_power_stats_default.te
+++ b/storage/sepolicy/hal_power_stats_default.te
@@ -1,2 +1,3 @@
 # dumpsys android.hardware.power.stats.IPowerStats/default
 r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000)
+
diff --git a/storage/sepolicy/init.te b/storage/sepolicy/init.te
index 7070318..dc24247 100644
--- a/storage/sepolicy/init.te
+++ b/storage/sepolicy/init.te
@@ -1 +1,3 @@
+# init
 allow init sysfs_scsi_devices_0000:file w_file_perms;
+
diff --git a/storage/sepolicy/vendor_init.te b/storage/sepolicy/vendor_init.te
index da4fcba..f5f17e4 100644
--- a/storage/sepolicy/vendor_init.te
+++ b/storage/sepolicy/vendor_init.te
@@ -1 +1,3 @@
+# vendor_init
 allow vendor_init sg_device:chr_file r_file_perms;
+
diff --git a/storage/sepolicy/vold.te b/storage/sepolicy/vold.te
index 87387a7..529f495 100644
--- a/storage/sepolicy/vold.te
+++ b/storage/sepolicy/vold.te
@@ -5,9 +5,11 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms;
 allow vold userdata_exp_block_device:blk_file rw_file_perms;
 allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD;
 
+# adb bugreport
 dontaudit vold dumpstate:fifo_file rw_file_perms;
 dontaudit vold dumpstate:fd use ;
 
 # fix idle-maint
 allow vold efs_block_device:blk_file { getattr };
 allow vold modem_userdata_block_device:blk_file { getattr };
+