Merge "Constrain cgroups access."

commit: 99f2477953b645c00f53e36cceee7c689276d69e [log] [tgz]
author: Tri Vo <trong@google.com> Thu Oct 11 16:30:05 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Oct 11 16:30:05 2018 +0000
tree: af9fb6f22b42b3676ae8172f426ba7d4602e7edb
parent: 49531c81c5347a432143c6209729d2a945db6c17 [diff]
parent: f55c989d18412ae711f00a25ec1ebabe1468325e [diff]
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 79faafa..3b5c5eb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -216,6 +216,7 @@
 }:service_manager find;
 # suppress denials for services dumpstate should not be accessing.
 dontaudit dumpstate {
+  apex_service
   dumpstate_service
   gatekeeper_service
   incident_service
@@ -272,6 +273,10 @@
 
 # For when dumpstate runs df
 dontaudit dumpstate mnt_vendor_file:dir search;
+dontaudit dumpstate apex_mnt_dir:dir getattr;
+
+# Allow dumpstate to talk to bufferhubd over binder
+binder_call(dumpstate, bufferhubd);
 
 # Allow dumpstate to kill vendor dumpstate service by init
 set_prop(dumpstate, ctl_dumpstate_prop)
commit	99f2477953b645c00f53e36cceee7c689276d69e	[log] [tgz]
author	Tri Vo <trong@google.com>	Thu Oct 11 16:30:05 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Oct 11 16:30:05 2018 +0000
tree	af9fb6f22b42b3676ae8172f426ba7d4602e7edb
parent	49531c81c5347a432143c6209729d2a945db6c17 [diff]
parent	f55c989d18412ae711f00a25ec1ebabe1468325e [diff]