From 7ffeb3957c4ba60c9b3755cf6d9b409b25c6fdf3 Mon Sep 17 00:00:00 2001
From: Nikita Ioffe <ioffe@google.com>
Date: Tue, 3 Jan 2023 16:12:05 +0000
Subject: dumpstate: explicitly specify capabilities

If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that dumpstate needs.

The list of capabilities that dumpstate is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s dumpstate -c capability,capability2 /tmp/selinux.policy
allow dumpstate dumpstate:capability { chown dac_override dac_read_search fowner fsetid kill net_admin net_raw setgid setuid sys_ptrace sys_resource };
allow dumpstate dumpstate:capability2 { block_suspend syslog };
```

Note: dumpstate can transfer in several other domains, but all of them
either don't need any capabilities:
```
$ sesearch --allow -s vdc -c capability,capability2 /tmp/selinux.policy
$ sesearch --allow -s perfetto -c capability,capability2 /tmp/selinux.policy
$ sesearch --allow -s derive_sdk -c capability,capability2 /tmp/selinux.policy
```

Bug: 249796710
Test: atest BugreportManagerTestCases
Test: presubmit
Change-Id: I6f03675b60d69063c3d944b370f4a8d325cfa7f9
---
 cmds/dumpstate/dumpstate.rc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmds/dumpstate/dumpstate.rc b/cmds/dumpstate/dumpstate.rc
index a80da4ec55..12a7cfface 100644
--- a/cmds/dumpstate/dumpstate.rc
+++ b/cmds/dumpstate/dumpstate.rc
@@ -8,6 +8,7 @@ service dumpstate /system/bin/dumpstate -s
     socket dumpstate stream 0660 shell log
     disabled
     oneshot
+    capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG
 
 # dumpstatez generates a zipped bugreport but also uses a socket to print the file location once
 # it is finished.
@@ -16,9 +17,11 @@ service dumpstatez /system/bin/dumpstate -S
     class main
     disabled
     oneshot
+    capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG
 
 # bugreportd starts dumpstate binder service and makes it wait for a listener to connect.
 service bugreportd /system/bin/dumpstate -w
     class main
     disabled
     oneshot
+    capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL NET_ADMIN NET_RAW SETGID SETUID SYS_PTRACE SYS_RESOURCE BLOCK_SUSPEND SYSLOG
-- 
cgit v1.2.3-59-g8ed1b