diff options
author | 2023-01-03 16:12:05 +0000 | |
---|---|---|
committer | 2023-01-03 16:12:05 +0000 | |
commit | 7ffeb3957c4ba60c9b3755cf6d9b409b25c6fdf3 (patch) | |
tree | e2d68b631d1615ff629e3d12b91e8e1286b63284 | |
parent | dc44a31e26b918f21b4ed560d893a8cfe03d536b (diff) |
dumpstate: explicitly specify capabilities
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that dumpstate needs.
The list of capabilities that dumpstate is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s dumpstate -c capability,capability2 /tmp/selinux.policy
allow dumpstate dumpstate:capability { chown dac_override dac_read_search fowner fsetid kill net_admin net_raw setgid setuid sys_ptrace sys_resource };
allow dumpstate dumpstate:capability2 { block_suspend syslog };
```
Note: dumpstate can transfer in several other domains, but all of them
either don't need any capabilities:
```
$ sesearch --allow -s vdc -c capability,capability2 /tmp/selinux.policy
$ sesearch --allow -s perfetto -c capability,capability2 /tmp/selinux.policy
$ sesearch --allow -s derive_sdk -c capability,capability2 /tmp/selinux.policy
```
Bug: 249796710
Test: atest BugreportManagerTestCases
Test: presubmit
Change-Id: I6f03675b60d69063c3d944b370f4a8d325cfa7f9
-rw-r--r-- | cmds/dumpstate/dumpstate.rc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/cmds/dumpstate/dumpstate.rc b/cmds/dumpstate/dumpstate.rc index a80da4ec55..12a7cfface 100644 --- a/cmds/dumpstate/dumpstate.rc +++ b/cmds/dumpstate/dumpstate.rc @@ -8,6 +8,7 @@ service dumpstate /system/bin/dumpstate -s socket dumpstate stream 0660 shell log disabled oneshot + capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG # dumpstatez generates a zipped bugreport but also uses a socket to print the file location once # it is finished. @@ -16,9 +17,11 @@ service dumpstatez /system/bin/dumpstate -S class main disabled oneshot + capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG # bugreportd starts dumpstate binder service and makes it wait for a listener to connect. service bugreportd /system/bin/dumpstate -w class main disabled oneshot + capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG |