From da1f9ffa7926a611a6a82fb95e6965cd6d70f15d Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 02:28:32 +0000 Subject: [PATCH] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I04ca96860c78baf24afd7deecff7dd4d470d9539 --- legacy/whitechapel_pro/file.te | 4 ---- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/tcpdump_logger.te | 4 ---- vendor/tcpdump_logger.te | 18 +++++++++++++++++- 4 files changed, 17 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/tcpdump_logger.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 38d3dc82..23d748bf 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,15 +1,11 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute tcpdump_vendor_data_file mlstrustedobject; -') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a694d515..a9901c05 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -38,7 +38,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te deleted file mode 100644 index b0a70465..00000000 --- a/tracking_denials/tcpdump_logger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490014 -userdebug_or_eng(` - permissive tcpdump_logger; -') \ No newline at end of file diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 10181049..7cf02450 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,5 +1,21 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(tcpdump_logger) +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir search; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') \ No newline at end of file