Fix selinux denials during bugreport

avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0 avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0 avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0 avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0 Bug: 62410287 Bug: 35350306 Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02 Signed-off-by: Tim Kryger <tkryger@google.com>

Fix selinux denials during bugreport
b7e1f2dd · Tim Kryger · 4fc64f2f · b7e1f2dd
Commit b7e1f2dd authored 7 years ago by Tim Kryger
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -214,6 +214,20 @@ allow dumpstate ion_device:chr_file r_file_perms;
 # read default labeled files in /sys
 r_dir_file(dumpstate, sysfs)

+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+# Allow dumpstate to read backlight details
+allow dumpstate sysfs_leds:lnk_file r_file_perms;
+allow dumpstate sysfs_leds:file r_file_perms;
+allow dumpstate sysfs_leds:dir search;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
 ###
 ### neverallow rules
 ###