Fix avc denied for Silent Logging

04-08 23:18:20.684   920   920 I HwBinder:920_1: type=1400 audit(0.0:486): avc: denied { call } for scontext=u:r:sced:s0 tcontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tclass=binder permissive=1
04-08 22:51:36.312  1000  6890  6890 I Thread-2: type=1400 audit(0.0:1390): avc: denied { call } for scontext=u:r:vendor_telephony_app:s0:c232,c259,c512,c768 tcontext=u:r:sced:s0 tclass=binder permissive=1

04-08 23:18:20.684  7099  7099 I auditd  : type=1400 audit(0.0:487): avc: denied { execute } for comm="HwBinder:920_1" name="sh" dev="dm-0" ino=464 scontext=u:r:sced:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
04-08 23:18:20.684  7099  7099 I auditd  : type=1400 audit(0.0:488): avc: denied { read open } for comm="HwBinder:920_1" path="/system/bin/sh" dev="overlay" ino=464 scontext=u:r:sced:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1

04-08 22:51:36.312  1000  8554  8554 I HwBinder:908_1: type=1400 audit(0.0:1391): avc: denied { execute_no_trans } for path="/vendor/bin/sh" dev="overlay" ino=377 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_shell_exec:s0 tclass=file permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1392): avc: denied { search } for name="slog" dev="dm-7" ino=245 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1393): avc: denied { write } for name="slog" dev="dm-7" ino=245 scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:51:36.324  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1394): avc: denied { add_name } for name="tcplog_20210408225136.pcap" scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=dir permissive=1
04-08 22:52:24.720  1000   908   908 I HwBinder:908_1: type=1400 audit(0.0:1427): avc: denied { create } for name="tcplog_20210408225224.pcap" scontext=u:r:sced:s0 tcontext=u:object_r:vendor_slog_file:s0 tclass=file permissive=1

04-08 23:18:23.160  7099  7099 I auditd  : type=1400 audit(0.0:505): avc: denied { getopt } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I tcpdump : type=1400 audit(0.0:505): avc: denied { getopt } for scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I auditd  : type=1400 audit(0.0:506): avc: denied { setopt } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:18:23.160  7099  7099 I tcpdump : type=1400 audit(0.0:506): avc: denied { setopt } for scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1

04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:500): avc: denied { getattr } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:501): avc: denied { execute } for comm="sh" name="tcpdump" dev="dm-0" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.664  8514  8514 I auditd  : type=1400 audit(0.0:502): avc: denied { read open } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.668  8514  8514 I auditd  : type=1400 audit(0.0:503): avc: denied { execute_no_trans } for comm="sh" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1
04-08 23:58:53.668  8514  8514 I auditd  : type=1400 audit(0.0:504): avc: denied { map } for comm="tcpdump" path="/system/bin/tcpdump" dev="overlay" ino=502 scontext=u:r:sced:s0 tcontext=u:object_r:tcpdump_exec:s0 tclass=file permissive=1

04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:505): avc: denied { create } for comm="tcpdump" scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1
04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:506): avc: denied { net_raw } for comm="tcpdump" capability=13 scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=capability permissive=1
04-08 23:58:53.680  8514  8514 I auditd  : type=1400 audit(0.0:507): avc: denied { ioctl } for comm="tcpdump" path="socket:[96140]" dev="sockfs" ino=96140 ioctlcmd=0x8933 scontext=u:r:sced:s0 tcontext=u:r:sced:s0 tclass=packet_socket permissive=1

04-13 19:19:38.493  1000   403   403 I auditd  : avc:  denied  { find } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:sced:s0 pid=909 scontext=u:r:sced:s0 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=0
04-13 21:40:13.054   404   404 I auditd  : avc:  denied  { add } for interface=vendor.samsung_slsi.telephony.hardware.oemservice::IOemService sid=u:r:sced:s0 pid=911 scontext=u:r:sced:s0 tcontext=u:object_r:hal_vendor_oem_hwservice:s0 tclass=hwservice_manager permissive=1
04-13 21:40:13.055   404   404 I auditd  : avc:  denied  { add } for interface=android.hidl.base::IBase sid=u:r:sced:s0 pid=911 scontext=u:r:sced:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1


Bug: 184921478
Test: manual test
Change-Id: I39eb403272a8a4fba0728c9f8eab5ea23096a540

tracking_denials/sced.te

@@ -1,4 +0,0 @@
-# b/171760846
-dontaudit sced hidl_base_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
-dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };

whitechapel/vendor/google/dmd.te

@@ -25,7 +25,8 @@ get_prop(dmd, vendor_persist_config_default_prop)
 
 # Grant to access hwservice manager
 get_prop(dmd, hwservicemanager_prop)
-add_hwservice(dmd, hal_vendor_oem_hwservice)
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
 binder_call(dmd, hwservicemanager)
 binder_call(dmd, modem_diagnostic_app)
 binder_call(dmd, modem_logging_control)

whitechapel/vendor/google/sced.te

@@ -2,9 +2,22 @@ type sced, domain;
 type sced_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(sced)
 
+typeattribute sced vendor_executes_system_violators;
+
 userdebug_or_eng(`
 hwbinder_use(sced)
 binder_call(sced, dmd)
+binder_call(sced, vendor_telephony_app)
 
 get_prop(sced, hwservicemanager_prop)
+allow sced self:packet_socket create_socket_perms_no_ioctl;
+
+allow sced self:capability net_raw;
+allow sced shell_exec:file rx_file_perms;
+allow sced tcpdump_exec:file rx_file_perms;
+allow sced vendor_shell_exec:file x_file_perms;
+allow sced vendor_slog_file:dir create_dir_perms;
+allow sced vendor_slog_file:file create_file_perms;
+allow sced hidl_base_hwservice:hwservice_manager add;
+allow sced hal_vendor_oem_hwservice:hwservice_manager { add find };
 ')

whitechapel/vendor/google/vendor_telephony_app.te

@@ -16,3 +16,4 @@ allow vendor_telephony_app vendor_slog_file:file create_file_perms;
 allow vendor_telephony_app app_api_service:service_manager find;
 allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find;
 binder_call(vendor_telephony_app, dmd)
+binder_call(vendor_telephony_app, sced)