sepolicy/policy/chromeos/log-and-errors/cros_crash.te - mirrors/cros/chromiumos/platform2 - Git at Google

 # SELinux policy for crash reporting.

 type cros_crash, cros_miscdomain, chromeos_domain, domain;

 permissive cros_crash;

 allow cros_crash chromeos:fd use;

 allow cros_crash devpts:chr_file rw_file_perms;
 allow cros_crash cros_labeled_dev_type:chr_file rw_file_perms;

 allow cros_crash cros_syslog:file r_file_perms;

 allow cros_crash unlabeled:dir search;


 # FOR DEBUG
 # Allow execute (but not transition to escape from enforced domain) crash_reporter to observe if there's
 # other permissive callers than below.
 allow chromeos_domain cros_crash_reporter_exec:file execute;
 auditallow {
 chromeos_domain
 -kernel
 -cros_init
 -cros_init_scripts
 -cros_init_scripts_domain
 -cros_shill
 -cros_anomaly_detector
 -cros_crash # self-exec
 } cros_crash_reporter_exec:file execute;


 # crash-reporter to be executed by anomaly_detector/init/init scripts/shill
 domain_auto_trans({
 kernel
 cros_init
 cros_init_scripts
 cros_init_scripts_domain
 cros_shill
 cros_anomaly_detector
 }, cros_crash_reporter_exec, cros_crash);

 allow cros_crash cros_anomaly_detector:fd use;
 # Kernel and cros_anomaly_detector are expected to run crash_reporter.
 # This audit allow is used to catch more unexpected usage.
 # -chromeos since we're pulling more processes out of chromeos, also it creates noises that crash_test.py
 # tries to run crash_reporter during the test.
 auditallow {
 chromeos_domain
 -kernel
 -cros_init
 -chromeos
 -cros_anomaly_detector
 -cros_crash
 -cros_udevd # Udevd is also expected to execute crash reporter.
 -cros_ssh_session
 } cros_crash_reporter_exec:file execute;

 minijail_netns_new(cros_crash)
 log_writer(cros_crash);
 cros_dbus_client(cros_crash);
 execute_file_follow_link(cros_crash, sh_exec);

 allow cros_crash exec_type:file { getattr open read };

 allow cros_crash cros_core_collector_exec:file execute;

 allow cros_crash { proc_uptime proc_stat }:file r_file_perms;

 filetrans_pattern(chromeos_domain, cros_var_spool, cros_crash_spool, dir, "crash");
 auditallow { chromeos_domain -cros_crash } cros_crash_spool:dir create;

 allow cros_crash cros_crash_spool:dir create_dir_perms;
 allow cros_crash cros_crash_spool:file create_file_perms;
 filetrans_pattern(cros_crash, cros_var_lib, cros_var_lib_crash_reporter, dir, "crash_reporter");
 allow cros_crash cros_var_lib_crash_reporter:dir create_dir_perms;
 allow cros_crash cros_var_lib_crash_reporter:file create_file_perms;
 filetrans_pattern(cros_crash, cros_run, cros_run_crash_reporter, dir, "crash_reporter");
 allow cros_crash cros_run_crash_reporter:dir create_dir_perms;
 allow cros_crash cros_run_crash_reporter:file create_file_perms;

 filetrans_pattern(cros_crash, cros_home_chronos, cros_home_chronos_crash, dir, "crash");
 allow cros_crash cros_home_chronos_crash:dir create_dir_perms;
 allow cros_crash cros_home_chronos_crash:file create_file_perms;

 # filetrans done in cros_init
 allow cros_crash cros_run:dir create_dir_perms;
 allow cros_crash cros_run_metrics:dir create_dir_perms;
 allow cros_crash cros_run_metrics_external:dir create_dir_perms;
 filetrans_pattern(cros_crash, cros_run_metrics_external, cros_run_metrics_external_crash, dir, "crash-reporter");
 allow cros_crash cros_run_metrics_external_crash:dir create_dir_perms;
 allow cros_crash cros_run_metrics_external_crash:file create_file_perms;

 allow cros_crash kernel:fifo_file { read ioctl };
 allow cros_crash domain:dir search;
 allow cros_crash domain:file { getattr open read };
 allow cros_crash domain:lnk_file read;

 # anomaly_detector minijail made it potentially cros_minijail_minijail_tmp_file.
 # cros_crash libminijail wants to create on top of it.
 tmp_file(cros_crash, dir, , cros_minijail_minijail_tmp_file);
 allow cros_crash cros_crash_tmp_file:dir create_dir_perms;
 allow cros_crash cros_crash_tmp_file:{file lnk_file} create_file_perms;

 r_dir_file(cros_crash, cros_var_lib_whitelist);
 r_dir_file(cros_crash, cros_passwd_file);

 r_dir_file(cros_crash, cros_anomaly_detector_tmp_file);

 r_dir_file(cros_crash, cros_run_containers);

 allow cros_crash cros_var_log_eventlog:file r_file_perms;

 allow cros_crash self:capability { sys_admin chown sys_nice };
 arc_cts_fails_release(`
 allow cros_crash self:capability { sys_ptrace dac_override };
 ', (`cros_crash'));

 # neverallow { domain -init } usermodehelper:file { append write };
 arc_cts_fails_release(`
 allow cros_crash usermodehelper:file w_file_perms;
 ', (`cros_crash'))

 allow cros_crash pstorefs:dir r_dir_perms;
 allow cros_crash sysfs_class_devcoredump:file w_file_perms;
 allow cros_crash sysfs_class_devcoredump:dir search;

 # the following are likely to be minijail related.
 # DO NOT PUT non-minijail related policies below.
 # tmpfs for /dev is labeled as cros_crash_tmp_file from above.
 minijail_mountdev(cros_crash, cros_crash_tmp_file);
 minijail_mounts(
  cros_crash,
  ,
  {
   cros_minijail_minijail_tmp_file # created by anomaly_detector minijail
   cros_crash_tmp_file
  }
 )
	# SELinux policy for crash reporting.

	type cros_crash, cros_miscdomain, chromeos_domain, domain;

	permissive cros_crash;

	allow cros_crash chromeos:fd use;

	allow cros_crash devpts:chr_file rw_file_perms;
	allow cros_crash cros_labeled_dev_type:chr_file rw_file_perms;

	allow cros_crash cros_syslog:file r_file_perms;

	allow cros_crash unlabeled:dir search;


	# FOR DEBUG
	# Allow execute (but not transition to escape from enforced domain) crash_reporter to observe if there's
	# other permissive callers than below.
	allow chromeos_domain cros_crash_reporter_exec:file execute;
	auditallow {
	chromeos_domain
	-kernel
	-cros_init
	-cros_init_scripts
	-cros_init_scripts_domain
	-cros_shill
	-cros_anomaly_detector
	-cros_crash # self-exec
	} cros_crash_reporter_exec:file execute;


	# crash-reporter to be executed by anomaly_detector/init/init scripts/shill
	domain_auto_trans({
	kernel
	cros_init
	cros_init_scripts
	cros_init_scripts_domain
	cros_shill
	cros_anomaly_detector
	}, cros_crash_reporter_exec, cros_crash);

	allow cros_crash cros_anomaly_detector:fd use;
	# Kernel and cros_anomaly_detector are expected to run crash_reporter.
	# This audit allow is used to catch more unexpected usage.
	# -chromeos since we're pulling more processes out of chromeos, also it creates noises that crash_test.py
	# tries to run crash_reporter during the test.
	auditallow {
	chromeos_domain
	-kernel
	-cros_init
	-chromeos
	-cros_anomaly_detector
	-cros_crash
	-cros_udevd # Udevd is also expected to execute crash reporter.
	-cros_ssh_session
	} cros_crash_reporter_exec:file execute;

	minijail_netns_new(cros_crash)
	log_writer(cros_crash);
	cros_dbus_client(cros_crash);
	execute_file_follow_link(cros_crash, sh_exec);

	allow cros_crash exec_type:file { getattr open read };

	allow cros_crash cros_core_collector_exec:file execute;

	allow cros_crash { proc_uptime proc_stat }:file r_file_perms;

	filetrans_pattern(chromeos_domain, cros_var_spool, cros_crash_spool, dir, "crash");
	auditallow { chromeos_domain -cros_crash } cros_crash_spool:dir create;

	allow cros_crash cros_crash_spool:dir create_dir_perms;
	allow cros_crash cros_crash_spool:file create_file_perms;
	filetrans_pattern(cros_crash, cros_var_lib, cros_var_lib_crash_reporter, dir, "crash_reporter");
	allow cros_crash cros_var_lib_crash_reporter:dir create_dir_perms;
	allow cros_crash cros_var_lib_crash_reporter:file create_file_perms;
	filetrans_pattern(cros_crash, cros_run, cros_run_crash_reporter, dir, "crash_reporter");
	allow cros_crash cros_run_crash_reporter:dir create_dir_perms;
	allow cros_crash cros_run_crash_reporter:file create_file_perms;

	filetrans_pattern(cros_crash, cros_home_chronos, cros_home_chronos_crash, dir, "crash");
	allow cros_crash cros_home_chronos_crash:dir create_dir_perms;
	allow cros_crash cros_home_chronos_crash:file create_file_perms;

	# filetrans done in cros_init
	allow cros_crash cros_run:dir create_dir_perms;
	allow cros_crash cros_run_metrics:dir create_dir_perms;
	allow cros_crash cros_run_metrics_external:dir create_dir_perms;
	filetrans_pattern(cros_crash, cros_run_metrics_external, cros_run_metrics_external_crash, dir, "crash-reporter");
	allow cros_crash cros_run_metrics_external_crash:dir create_dir_perms;
	allow cros_crash cros_run_metrics_external_crash:file create_file_perms;

	allow cros_crash kernel:fifo_file { read ioctl };
	allow cros_crash domain:dir search;
	allow cros_crash domain:file { getattr open read };
	allow cros_crash domain:lnk_file read;

	# anomaly_detector minijail made it potentially cros_minijail_minijail_tmp_file.
	# cros_crash libminijail wants to create on top of it.
	tmp_file(cros_crash, dir, , cros_minijail_minijail_tmp_file);
	allow cros_crash cros_crash_tmp_file:dir create_dir_perms;
	allow cros_crash cros_crash_tmp_file:{file lnk_file} create_file_perms;

	r_dir_file(cros_crash, cros_var_lib_whitelist);
	r_dir_file(cros_crash, cros_passwd_file);

	r_dir_file(cros_crash, cros_anomaly_detector_tmp_file);

	r_dir_file(cros_crash, cros_run_containers);

	allow cros_crash cros_var_log_eventlog:file r_file_perms;

	allow cros_crash self:capability { sys_admin chown sys_nice };
	arc_cts_fails_release(`
	allow cros_crash self:capability { sys_ptrace dac_override };
	', (`cros_crash'));

	# neverallow { domain -init } usermodehelper:file { append write };
	arc_cts_fails_release(`
	allow cros_crash usermodehelper:file w_file_perms;
	', (`cros_crash'))

	allow cros_crash pstorefs:dir r_dir_perms;
	allow cros_crash sysfs_class_devcoredump:file w_file_perms;
	allow cros_crash sysfs_class_devcoredump:dir search;

	# the following are likely to be minijail related.
	# DO NOT PUT non-minijail related policies below.
	# tmpfs for /dev is labeled as cros_crash_tmp_file from above.
	minijail_mountdev(cros_crash, cros_crash_tmp_file);
	minijail_mounts(
	cros_crash,
	,
	{
	cros_minijail_minijail_tmp_file # created by anomaly_detector minijail
	cros_crash_tmp_file
	}
	)