Added permissions for the dumpstate service.

- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711

private/service_contexts

@@ -43,6 +43,7 @@ DockObserver                              u:object_r:DockObserver_service:s0
 dreams                                    u:object_r:dreams_service:s0
 drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
+dumpstate                                 u:object_r:dumpstate_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0

public/dumpstate.te

@@ -174,7 +174,7 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
@@ -197,3 +197,16 @@ allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate media_rw_data_file:dir getattr;
 allow dumpstate proc_interrupts:file r_file_perms;
 allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+allow dumpstate dumpstate_service:service_manager add;
+
+###
+### neverallow rules
+###
+
+# only dumpstate can add the dumpstate service
+neverallow { domain -dumpstate } dumpstate_service:service_manager add;
+
+# only system_server and shell can find the dumpstate service
+neverallow { domain -system_server -shell } dumpstate_service:service_manager find;

public/service.te

@@ -3,6 +3,7 @@ type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
+type dumpstate_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type fingerprintd_service,      service_manager_type;
 type batteryproperties_service, app_api_service, service_manager_type;

public/shell.te

@@ -91,7 +91,10 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find;
+allow shell dumpstate:binder call;
 
 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)

public/system_app.te

@@ -49,7 +49,8 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app { service_manager_type -netd_service }:service_manager find;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state

public/system_server.te

@@ -443,6 +443,7 @@ allow system_server sysfs_zram:file r_file_perms;
 allow system_server audioserver_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
 allow system_server batteryproperties_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;