Merge changes Icb6ea6ce,I89b546c7
* changes:
Shell: grant permission to run lsmod
Dumpstate: cleanup denial logspam
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d9290..a814f16 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@
-vold_service
-vr_hwc_service
}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/shell.te b/public/shell.te
index fb650bf..44d8121 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,12 +106,13 @@
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
-# allow shell to look through /proc/ for ps, top, netstat
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
allow shell proc_filesystems:file r_file_perms;
allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
+allow shell proc_modules:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;