Dumpstate runs the same from shell as service.

Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb

Dumpstate runs the same from shell as service.
5ec38c49 · Christopher Ferris · bba18381 · 5ec38c49 · 5ec38c49 · 5ec38c49
Commit 5ec38c49 authored 10 years ago by Christopher Ferris
--- a/app.te
+++ b/app.te
@@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process
    { sigkill sigstop signal };
 # Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, etc.
+# Exception for the shell domain and the su domain, can transition to runas,
-neverallow { appdomain -shell } { domain -appdomain }:process
+# etc.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
    { transition dyntransition };
 # Write to rootfs.

--- a/dumpstate.te
+++ b/dumpstate.te
@@ -6,8 +6,9 @@ init_daemon_domain(dumpstate)
 net_domain(dumpstate)
 binder_use(dumpstate)
-# Drop privileges by switching UID / GID
+# Allow setting process priority, protect from OOM killer, and dropping
-allow dumpstate self:capability { setuid setgid };
+# privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid sys_resource };
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
@@ -119,3 +120,5 @@ allow dumpstate {
 }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
+allow dumpstate devpts:chr_file rw_file_perms;
--- a/su.te
+++ b/su.te
@@ -12,6 +12,10 @@ userdebug_or_eng(`
  # additional information.
  domain_auto_trans(dumpstate, su_exec, su)
+  # Make sure that dumpstate runs the same from the "su" domain as
+  # from the "init" domain.
+  domain_auto_trans(su, dumpstate_exec, dumpstate)
  # su is also permissive to permit setenforce.
  permissive su;