From 42aaf5a0a5dc6a3ae6d95cbb295f6fd091edb779 Mon Sep 17 00:00:00 2001
From: Felipe Leme <felipeal@google.com>
Date: Mon, 20 Jun 2016 10:01:53 -0700
Subject: [PATCH] Grant access to net_raw and net_admin to dumpstate.

Cherrypicked from AOSP
(commit 51fdddaf19981f9d77aafff228a6b2aedcdb97a1).

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb
---
 dumpstate.te | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dumpstate.te b/dumpstate.te
index ac94e4c82..318755528 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -13,8 +13,13 @@ allow dumpstate self:capability { setuid setgid sys_resource };
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
 
-# Send signals to processes
-allow dumpstate self:capability kill;
+allow dumpstate self:capability {
+    # Send signals to processes
+    kill
+    # Run iptables
+    net_raw
+    net_admin
+};
 
 # Allow executing files on system, such as:
 #   /system/bin/toolbox
-- 
GitLab