Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / f7bfd489d2712766a183b957191fdb2d62514262^! / .
commitf7bfd489d2712766a183b957191fdb2d62514262[log] [tgz]
authorLorenzo Colitti <lorenzo@google.com>Tue Apr 19 08:05:44 2016 +0900
committerLorenzo Colitti <lorenzo@google.com>Tue Apr 19 12:12:07 2016 +0900
treeca449707ab9435ff922bea2898db9b4e56bf19b6
parent0959aa67525725818c89b5cdeda11f1cad489066 [diff]
Allow bugreports to dump the native netd service state.

Bug: 28251026
Change-Id: I73dce178b873d45e703896f12c10325af2ade81d

diff --git a/dumpstate.te b/dumpstate.te
index 5095ecd..ebc0d67 100644
--- a/dumpstate.te
+++ b/dumpstate.te

@@ -70,7 +70,8 @@
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app })
+binder_call(dumpstate, { appdomain autoplay_app netd })
+
 
 # Reading /proc/PID/maps of other processes
 allow dumpstate self:capability sys_ptrace;
@@ -123,7 +124,7 @@
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;

diff --git a/netd.te b/netd.te
index 6864ad6..0d9c047 100644
--- a/netd.te
+++ b/netd.te

@@ -60,6 +60,7 @@
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
 allow netd netd_service:service_manager add;
+allow netd dumpstate:fifo_file  { getattr write };
 
 # Allow netd to call into the system server so it can check permissions.
 allow netd system_server:binder call;
@@ -90,7 +91,7 @@
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server may interact with netd over binder
-neverallow { domain -system_server } netd_service:service_manager find;
-neverallow { domain -system_server } netd:binder call;
+# only system_server and dumpstate may interact with netd over binder
+neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;