Add sepolicy for dumpstate to zip tcpdump into bugreport

Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I04ca96860c78baf24afd7deecff7dd4d470d9539
2023-04-24 02:28:32 +00:00 · 2023-04-24 02:28:32 +00:00 · da1f9ffa79
commit da1f9ffa79
parent d90ebc1fdb
4 changed files with 17 additions and 10 deletions
--- a/legacy/whitechapel_pro/file.te
+++ b/legacy/whitechapel_pro/file.te
@ -1,15 +1,11 @@
 # Data
 type updated_wifi_firmware_data_file, file_type, data_file_type;
-type tcpdump_vendor_data_file, file_type, data_file_type;
 type vendor_misc_data_file, file_type, data_file_type;
 type per_boot_file, file_type, data_file_type, core_data_file_type;
 type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type uwb_data_vendor, file_type, data_file_type;
 type powerstats_vendor_data_file, file_type, data_file_type;
 type sensor_debug_data_file, file_type, data_file_type;
-userdebug_or_eng(`
-  typeattribute tcpdump_vendor_data_file mlstrustedobject;
-')

 # sysfs
 type bootdevice_sysdev, dev_type;
--- a/legacy/whitechapel_pro/file_contexts
+++ b/legacy/whitechapel_pro/file_contexts
@ -38,7 +38,6 @@
 /data/vendor/ss(/.*)?                                                       u:object_r:tee_data_file:s0
 /data/nfc(/.*)?                                                             u:object_r:nfc_data_file:s0
 /data/vendor/firmware/wifi(/.*)?                                            u:object_r:updated_wifi_firmware_data_file:s0
-/data/vendor/tcpdump_logger(/.*)?                                           u:object_r:tcpdump_vendor_data_file:s0
 /data/vendor/misc(/.*)?                                                     u:object_r:vendor_misc_data_file:s0
 /data/per_boot(/.*)?                                                        u:object_r:per_boot_file:s0
 /data/vendor/sensors/registry(/.*)?                                         u:object_r:sensor_reg_data_file:s0
--- a/tracking_denials/tcpdump_logger.te
+++ b/tracking_denials/tcpdump_logger.te
@ -1,4 +0,0 @@
-# b/264490014
-userdebug_or_eng(`
-  permissive tcpdump_logger;
-')
--- a/vendor/tcpdump_logger.te
+++ b/vendor/tcpdump_logger.te
@ -1,5 +1,21 @@
 type tcpdump_logger, domain;
 type tcpdump_logger_exec, exec_type, vendor_file_type, file_type;

-init_daemon_domain(tcpdump_logger)
+userdebug_or_eng(`
+  # make transition from init to its domain
+  init_daemon_domain(tcpdump_logger)

+  allow tcpdump_logger self:capability net_raw;
+  allow tcpdump_logger self:packet_socket create_socket_perms;
+  allowxperm tcpdump_logger self:packet_socket ioctl 0x8933;
+  allow tcpdump_logger tcpdump_exec:file rx_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger tcpdump_vendor_data_file:dir search;
+  allow tcpdump_logger radio_vendor_data_file:file create_file_perms;
+  allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms;
+  allow tcpdump_logger wifi_logging_data_file:file create_file_perms;
+  allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms;
+
+  set_prop(tcpdump_logger, vendor_tcpdump_log_prop)
+')