Allow incidentd to read LAST_KMSG only for userdebug builds
Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6
diff --git a/private/domain.te b/private/domain.te
index 093e302..aa43058 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -83,6 +83,7 @@
-charger
-dumpstate
-healthd
+ userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e9bb511..e1e3fc8 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -8,6 +8,7 @@
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd }:fd use;
allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 824dece..22ff985 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -38,6 +38,10 @@
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;