diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a587b4df5e80438f5be55c40db9ab2395980e870..d44fd7ad7bc0720d6b1f62f47a96b2852ce421ae 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -452,6 +452,7 @@
( proc
proc_abi
proc_asound
+ proc_buddyinfo
proc_cmdline
proc_dirty
proc_diskstats
diff --git a/private/domain.te b/private/domain.te
index 8a410975bbf9e5af109368479cf73ccad7deff52..dae40d25abd0219df9688c3c57f7a77e587edfff 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -24,7 +24,6 @@ full_treble_only(`
# /proc
neverallow {
coredomain
- -dumpstate
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -32,7 +31,6 @@ full_treble_only(`
# /sys
neverallow {
coredomain
- -dumpstate
-init
-ueventd
-vold
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1fddb6eb56b459f1df43b1f23ee1cb408859857f..2ff1b4d9bcebb7c8aa94b9e6822b520e4a0b8ac0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3a9701d3c623c49f46c23049f9279769ed9c20f3..5f6e5f79c2dee9cedf2c0b8adca17aeae5fa17a8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,14 @@ allow dumpstate {
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
@@ -113,8 +119,6 @@ hal_client_domain(dumpstate, hal_dumpstate)
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
@@ -153,15 +157,18 @@ read_runtime_log_tags(dumpstate)
# Read files in /proc
allow dumpstate {
+ proc_buddyinfo
proc_cmdline
proc_meminfo
+ proc_modules
proc_net
proc_pipe_conf
proc_pagetypeinfo
+ proc_qtaguid_stat
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file r_file_perms;
-r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -249,9 +256,6 @@ add_service(dumpstate, dumpstate_service)
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
@@ -282,7 +286,3 @@ neverallow {
userdebug_or_eng(`-traceur_app')
-dumpstate
} dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/file.te b/public/file.te
index 91796c068d12e14729558f6783673678ba7dfc5b..13176972bcf4470ab1eb5095934faef7acd12e7f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@ type proc_qtaguid_stat, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type proc_abi, fs_type;
type proc_asound, fs_type;
+type proc_buddyinfo, fs_type;
type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_dirty, fs_type;