Handle denials caused by taking a bugreport. apex_service is already in the list of services dumpstate cannot find; this ensures that the dontaudit list is the same. We hide the denial caused by df reading one of its directories. dumpstate can already call all binder services, so we enable it to call bufferhubd. Bug: 116711254 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1

commit: 49531c81c5347a432143c6209729d2a945db6c17 [log] [tgz]
author: Joel Galenson <jgalenson@google.com> Wed Oct 10 17:56:00 2018 -0700
committer: Joel Galenson <jgalenson@google.com> Wed Oct 10 18:17:50 2018 -0700
tree: 889908b5dad1623b7e46c0d295614284f93387c4
parent: 9a06d551c6a67b8cfc1283e2d738c69369134b3d [diff]
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 79faafa..3b5c5eb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -216,6 +216,7 @@
 }:service_manager find;
 # suppress denials for services dumpstate should not be accessing.
 dontaudit dumpstate {
+  apex_service
   dumpstate_service
   gatekeeper_service
   incident_service
@@ -272,6 +273,10 @@
 
 # For when dumpstate runs df
 dontaudit dumpstate mnt_vendor_file:dir search;
+dontaudit dumpstate apex_mnt_dir:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
 
 # Allow dumpstate to kill vendor dumpstate service by init
 set_prop(dumpstate, ctl_dumpstate_prop)
commit	49531c81c5347a432143c6209729d2a945db6c17	[log] [tgz]
author	Joel Galenson <jgalenson@google.com>	Wed Oct 10 17:56:00 2018 -0700
committer	Joel Galenson <jgalenson@google.com>	Wed Oct 10 18:17:50 2018 -0700
tree	889908b5dad1623b7e46c0d295614284f93387c4
parent	9a06d551c6a67b8cfc1283e2d738c69369134b3d [diff]