Allow dumpstate to exec derive_sdk
derive_sdk is used to configure installed SDK extensions. It can also
print debug information about these.
Allow dumpstate to execute derive_sdk, to include the debug information
in bugreports.
Bug: 240656777
Test: adb bugreport /tmp/bugreport.zip && unzip -c /tmp/bugreport.zip bugreport*.txt | grep -i 'sdk extensions'
Change-Id: I0f502f9f94a376dff2e7eb821f7bf753de2d5482
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 1f60e34..f46c614 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -10,3 +10,11 @@
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop)
neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
+
+# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
+# The shell_data_file permissions are needed when a bugreport is taken:
+# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
+# this makes derive_sdk append to that file.
+allow derive_sdk dumpstate:fd use;
+allow derive_sdk dumpstate:unix_stream_socket { read write };
+allow derive_sdk shell_data_file:file { getattr append read write };