Grant access to net_raw and net_admin to dumpstate.

These capabilities are required so it can run iptables, otherwise it will cause failures such as: 06-20 16:19:02.650 5524 5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 06-20 16:56:57.119 5070 5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 BUG: 29455997 Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb

Grant access to net_raw and net_admin to dumpstate.
51fdddaf · Felipe Leme · 15105ce7 · 51fdddaf
Commit 51fdddaf authored 8 years ago by Felipe Leme
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -13,8 +13,13 @@ allow dumpstate self:capability { setuid setgid sys_resource };
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)

-# Send signals to processes
-allow dumpstate self:capability kill;
+allow dumpstate self:capability {
+    # Send signals to processes
+    kill
+    # Run iptables
+    net_raw
+    net_admin
+};

 # Allow executing files on system, such as:
 #   /system/bin/toolbox