From 884c7d0c1ddd16d9c39a36f7bad0b7b5fb7f266e Mon Sep 17 00:00:00 2001
From: Jie Song <jies@google.com>
Date: Fri, 7 Apr 2017 12:26:19 -0700
Subject: [PATCH] Move logging folder from data to data/vendor

diag_logs
cnss_diag
ramdump

Bug: 36734870
Test: Capture logs and check no SELinux denial
Change-Id: Ic7a7c7052c06b82b88cdaf3057d65e8a6765284c
---
 init.common.diag.rc.userdebug |  8 +++++---
 init.common.rc                |  2 +-
 sepolicy/cnss_diag.te         |  4 ++--
 sepolicy/file.te              |  5 +++--
 sepolicy/file_contexts        |  6 +++---
 sepolicy/hrdump.te            |  4 ++--
 sepolicy/logger_app.te        | 19 +++++++++++++++++++
 sepolicy/platform_app.te      |  7 -------
 sepolicy/ramdump_app.te       | 12 ++++++++++++
 sepolicy/seapp_contexts       |  3 +++
 sepolicy/ssr_detector.te      |  4 ++--
 sepolicy/subsystem_ramdump.te |  6 +++---
 12 files changed, 55 insertions(+), 25 deletions(-)
 create mode 100644 sepolicy/logger_app.te
 create mode 100644 sepolicy/ramdump_app.te

diff --git a/init.common.diag.rc.userdebug b/init.common.diag.rc.userdebug
index 4bf2094bf..a678b810d 100644
--- a/init.common.diag.rc.userdebug
+++ b/init.common.diag.rc.userdebug
@@ -2,9 +2,11 @@
 
 on post-fs-data
     # Modem logging collection
-    mkdir /data/diag_logs 0777 system system
+    mkdir /data/vendor/radio 0775 radio radio
+    mkdir /data/vendor/radio/diag_logs 0777 system system
     # WLAN logging collection
-    mkdir /data/cnss_diag 0777 system system
+    mkdir /data/vendor/wifi 0777 system system
+    mkdir /data/vendor/wifi/cnss_diag 0777 system system
     # SM DUMP logging collection
     mkdir /data/smlog_dump 0777 system system
 
@@ -111,7 +113,7 @@ service cnss_diag /vendor/bin/cnss_diag -q -u
     group system
     oneshot
 
-service cnss_diag_txt /vendor/bin/cnss_diag -s -f -m /data/cnss_diag/cnss_diag.conf
+service cnss_diag_txt /vendor/bin/cnss_diag -s -f -m /data/vendor/wifi/cnss_diag/cnss_diag.conf
     class late_start
     user system
     group system
diff --git a/init.common.rc b/init.common.rc
index 5a333f100..8225c5e31 100644
--- a/init.common.rc
+++ b/init.common.rc
@@ -605,7 +605,7 @@ service ss_ramdump /vendor/bin/subsystem_ramdump
 
 on property:persist.sys.ssr.enable_ramdumps=1
     write /sys/module/subsystem_restart/parameters/enable_ramdumps 1
-    mkdir /data/ramdump 761 root system
+    mkdir /data/vendor/ramdump 761 root system
     start ss_ramdump
 
 on property:persist.sys.ssr.enable_ramdumps=0
diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index 3efdef068..faf164b81 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -14,6 +14,6 @@ dontaudit cnss_diag self:udp_socket create;
 
 userdebug_or_eng(`
   allow cnss_diag diag_device:chr_file rw_file_perms;
-  allow cnss_diag cnss_diag_data_file:dir create_dir_perms;
-  allow cnss_diag cnss_diag_data_file:file create_file_perms;
+  allow cnss_diag cnss_vendor_data_file:dir create_dir_perms;
+  allow cnss_diag cnss_vendor_data_file:file create_file_perms;
 ')
diff --git a/sepolicy/file.te b/sepolicy/file.te
index d37b3546b..7c8091719 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -4,8 +4,6 @@ type sysfs_nanoapp_cmd, sysfs_type, fs_type;
 type firmware_file, fs_type, contextmount_type;
 
 # /data
-type diag_logs, file_type, data_file_type, mlstrustedobject;
-type cnss_diag_data_file, file_type, data_file_type, mlstrustedobject;
 type smlog_dump_file, file_type, data_file_type;
 type location_data_file, file_type, data_file_type;
 type perfd_data_file, file_type, data_file_type;
@@ -17,6 +15,9 @@ type nanohub_lock_file, file_type, data_file_type;
 type sensors_cal_file, file_type;
 type sensors_saved_settings_file, file_type, data_file_type;
 type nfc_vendor_data_file, file_type, data_file_type;
+type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
 
 # /sys
 type sysfs_camera, sysfs_type, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 81fe41c1b..a5d8d0170 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -182,8 +182,6 @@
 /sys/kernel/debug/ion(/.*)?                      u:object_r:debugfs_ion:s0
 
 # /data
-/data/diag_logs(/.*)?            u:object_r:diag_logs:s0
-/data/cnss_diag(/.*)?            u:object_r:cnss_diag_data_file:s0
 /data/smlog_dump(/.*)?           u:object_r:smlog_dump_file:s0
 /data/nfc(/.*)?                  u:object_r:nfc_data_file:s0
 /data/time(/.*)?                 u:object_r:time_data_file:s0
@@ -198,7 +196,9 @@
 /data/system/nanohub_lock(/.*)?  u:object_r:nanohub_lock_file:s0
 /data/misc/sensorcal_saved\.json  u:object_r:sensors_saved_settings_file:s0
 /data/vendor/nfc(/.*)?           u:object_r:nfc_vendor_data_file:s0
-
+/data/vendor/radio(/.*)?         u:object_r:radio_vendor_data_file:s0
+/data/vendor/wifi(/.*)?          u:object_r:cnss_vendor_data_file:s0
+/data/vendor/ramdump(/.*)?       u:object_r:ramdump_vendor_data_file:s0
 
 # /
 
diff --git a/sepolicy/hrdump.te b/sepolicy/hrdump.te
index ba396fdcd..3bc51160f 100644
--- a/sepolicy/hrdump.te
+++ b/sepolicy/hrdump.te
@@ -12,8 +12,8 @@ set_prop(htc_ramdump, debug_prop)
 
 allow htc_ramdump rootfs:file { r_file_perms };
 allow htc_ramdump misc_block_device:blk_file { rw_file_perms };
-allow htc_ramdump ramdump_data_file:file { create_file_perms };
-allow htc_ramdump ramdump_data_file:dir { create_dir_perms };
+allow htc_ramdump ramdump_vendor_data_file:file { create_file_perms };
+allow htc_ramdump ramdump_vendor_data_file:dir { create_dir_perms };
 allow htc_ramdump block_device:dir { search };
 allow htc_ramdump ramdump_block_device:blk_file { open read };
 ')
diff --git a/sepolicy/logger_app.te b/sepolicy/logger_app.te
new file mode 100644
index 000000000..59c9bffb4
--- /dev/null
+++ b/sepolicy/logger_app.te
@@ -0,0 +1,19 @@
+type logger_app, domain;
+
+userdebug_or_eng(`
+  app_domain(logger_app)
+  net_domain(logger_app)
+
+  allow logger_app app_api_service:service_manager find;
+  allow logger_app surfaceflinger_service:service_manager find;
+
+  allow logger_app diag_device:chr_file rw_file_perms;
+
+  allow logger_app radio_vendor_data_file:file create_file_perms;
+  allow logger_app radio_vendor_data_file:dir create_dir_perms;
+
+  allow logger_app cnss_vendor_data_file:dir create_dir_perms;
+  allow logger_app cnss_vendor_data_file:file create_file_perms;
+
+  set_prop(logger_app, cnss_diag_prop);
+')
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 702d61c5c..3a01e2234 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -4,15 +4,8 @@ userdebug_or_eng(`
    # accesses data owned by vendor components
    typeattribute platform_app vendordata_in_core_violators;
    # qxdmlogger rundiag perms
-   allow platform_app diag_logs:dir rw_dir_perms;
-   allow platform_app diag_logs:file create_file_perms;
-   allow platform_app diag_device:chr_file rw_file_perms;
-   allow platform_app cnss_diag_data_file:dir create_dir_perms;
-   allow platform_app cnss_diag_data_file:file create_file_perms;
    allow platform_app ramdump_data_file:dir { getattr open read remove_name rmdir search write };
    allow platform_app ramdump_data_file:file { getattr open read unlink write };
    dontaudit platform_app proc_sysrq:file getattr;
    dontaudit platform_app proc_iomem:file getattr;
-   set_prop(platform_app, cnss_diag_prop);
-   set_prop(platform_app, ramdump_prop);
 ')
diff --git a/sepolicy/ramdump_app.te b/sepolicy/ramdump_app.te
new file mode 100644
index 000000000..91a957f31
--- /dev/null
+++ b/sepolicy/ramdump_app.te
@@ -0,0 +1,12 @@
+type ramdump_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ramdump_app)
+
+  allow ramdump_app app_api_service:service_manager find;
+
+  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
+  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
+
+  set_prop(ramdump_app, ramdump_prop);
+')
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
index f0ba11c9b..454b44b63 100644
--- a/sepolicy/seapp_contexts
+++ b/sepolicy/seapp_contexts
@@ -4,6 +4,9 @@ user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camer
 user=system seinfo=platform name=com.quicinc.cne.CNEService domain=qcneservice type=system_app_data_file
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector type=system_app_data_file
 
+user=_app seinfo=platform name=com.android.nexuslogger domain=logger_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
+
 # AtFwd and FastDormancy apps
 user=system seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=system_app_data_file
 
diff --git a/sepolicy/ssr_detector.te b/sepolicy/ssr_detector.te
index 99509e032..1427ebc6a 100644
--- a/sepolicy/ssr_detector.te
+++ b/sepolicy/ssr_detector.te
@@ -4,8 +4,8 @@ type ssr_detector, domain;
 app_domain(ssr_detector)
 
 userdebug_or_eng(`
-  allow ssr_detector ramdump_data_file:dir r_dir_perms;
-  allow ssr_detector ramdump_data_file:file r_file_perms;
+  allow ssr_detector ramdump_vendor_data_file:dir r_dir_perms;
+  allow ssr_detector ramdump_vendor_data_file:file r_file_perms;
   get_prop(ssr_detector, ssr_prop)
 ')
 
diff --git a/sepolicy/subsystem_ramdump.te b/sepolicy/subsystem_ramdump.te
index ba983c9fb..78fed6700 100644
--- a/sepolicy/subsystem_ramdump.te
+++ b/sepolicy/subsystem_ramdump.te
@@ -1,4 +1,4 @@
-# Policy for system/bin/subsystem_ramdump
+# Policy for vendor/bin/subsystem_ramdump
 type subsystem_ramdump_exec, exec_type, file_type;
 userdebug_or_eng(`
   type subsystem_ramdump, domain;
@@ -9,8 +9,8 @@ userdebug_or_eng(`
 
   r_dir_file(subsystem_ramdump, sysfs_type)
 
-  allow subsystem_ramdump ramdump_data_file:dir rw_dir_perms;
-  allow subsystem_ramdump ramdump_data_file:file create_file_perms;
+  allow subsystem_ramdump ramdump_vendor_data_file:dir rw_dir_perms;
+  allow subsystem_ramdump ramdump_vendor_data_file:file create_file_perms;
 
   set_prop(subsystem_ramdump, ssr_prop)
 ')