Dumpstate: cleanup denial logspam

Dumpstate lists all services and then enumerates over them. Suppress "find" denials for services which dumpstate is neverallowed access to. Dumpstate includes the kernel command line in bug reports. Grant access to /proc/cmdline. Test: build. Run adb bugreport. Change-Id: I89b546c728a034638f9257c6cf93366d99a10762

Dumpstate: cleanup denial logspam
d5678c11 · Jeff Vander Stoep · adef499d · d5678c11
Commit d5678c11 authored 7 years ago by Jeff Vander Stoep
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@ control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 # Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@ allow dumpstate {
  -vold_service
  -vr_hwc_service
 }:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+  dumpstate_service
+  gatekeeper_service
+  incident_service
+  virtual_touchpad_service
+  vold_service
+  vr_hwc_service
+}:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 allow dumpstate hwservicemanager:hwservice_manager list;