From c24d90cb5991ee53842c8fddf526187767ec92ec Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 6 Apr 2015 15:24:51 -0700
Subject: [PATCH] dumpstate: allow df on /storage/emulated

dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.

Addresses the following denial:

  avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir

Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
---
 dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dumpstate.te b/dumpstate.te
index 16050edb8..450ca9a22 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -63,6 +63,8 @@ allow dumpstate sysfs:file w_file_perms;
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
+# df for /storage/emulated needs search
+allow dumpstate storage_file:dir search;
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
-- 
GitLab