From 5ec38c49e3b61b8a3228b56278e85fc276eaec6b Mon Sep 17 00:00:00 2001
From: Christopher Ferris <cferris@google.com>
Date: Thu, 29 Jan 2015 12:11:55 -0800
Subject: [PATCH] Dumpstate runs the same from shell as service.

Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
---
 app.te       | 5 +++--
 dumpstate.te | 7 +++++--
 su.te        | 4 ++++
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index 902200181..be47ca557 100644
--- a/app.te
+++ b/app.te
@@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } { domain -appdomain }:process
+# Exception for the shell domain and the su domain, can transition to runas,
+# etc.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
     { transition dyntransition };
 
 # Write to rootfs.
diff --git a/dumpstate.te b/dumpstate.te
index ad4f23808..876eaca03 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -6,8 +6,9 @@ init_daemon_domain(dumpstate)
 net_domain(dumpstate)
 binder_use(dumpstate)
 
-# Drop privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid };
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid sys_resource };
 
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
@@ -119,3 +120,5 @@ allow dumpstate {
 }:service_manager find;
 
 allow dumpstate servicemanager:service_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/su.te b/su.te
index c42e4a720..dab52103c 100644
--- a/su.te
+++ b/su.te
@@ -12,6 +12,10 @@ userdebug_or_eng(`
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)
 
+  # Make sure that dumpstate runs the same from the "su" domain as
+  # from the "init" domain.
+  domain_auto_trans(su, dumpstate_exec, dumpstate)
+
   # su is also permissive to permit setenforce.
   permissive su;
 
-- 
GitLab