private/dumpstate.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
 init_daemon_domain(dumpstate)

 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)

 # TODO: deal with tmpfs_domain pub/priv split properly
 allow dumpstate dumpstate_tmpfs:file execute;

 # systrace support - allow atrace to run
 allow dumpstate debugfs_tracing:dir r_dir_perms;
 allow dumpstate debugfs_tracing:file rw_file_perms;
 allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate storaged_exec:file rx_file_perms;

 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)

 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
	# type_transition must be private policy the domain_trans rules could stay
	# public, but conceptually should go with this
	init_daemon_domain(dumpstate)

	# Execute and transition to the vdc domain
	domain_auto_trans(dumpstate, vdc_exec, vdc)

	# TODO: deal with tmpfs_domain pub/priv split properly
	allow dumpstate dumpstate_tmpfs:file execute;

	# systrace support - allow atrace to run
	allow dumpstate debugfs_tracing:dir r_dir_perms;
	allow dumpstate debugfs_tracing:file rw_file_perms;
	allow dumpstate debugfs_trace_marker:file getattr;
	allow dumpstate atrace_exec:file rx_file_perms;
	allow dumpstate storaged_exec:file rx_file_perms;

	# Allow dumpstate to make binder calls to storaged service
	binder_call(dumpstate, storaged)

	# Collect metrics on boot time created by init
	get_prop(dumpstate, boottime_prop)