Merge "Ensure taking a bugreport generates no denials." into pi-dev

7cfabb12 · TreeHugger Robot · Android (Google) Code Review · 37666db3 · ba0c279d · 7cfabb12
Commit 7cfabb12 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -38,3 +38,10 @@ get_prop(dumpstate, boottime_prop)
 allow dumpstate {
  statsd
 }:process signal;
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
--- a/private/installd.te
+++ b/private/installd.te
@@ -16,3 +16,7 @@ domain_auto_trans(installd, idmap_exec, idmap)
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -51,6 +51,9 @@ allow storaged package_native_service:service_manager find;
 # running as root. See b/35323867 #3.
 dontaudit storaged self:global_capability_class_set dac_override;
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
 ###
 ### neverallow
 ###

--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -5,3 +5,7 @@ type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# For collecting bugreports.
+allow hal_camera_default dumpstate:fd use;
+allow hal_camera_default dumpstate:fifo_file write;