Ensure taking a bugreport generates no denials.
This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.
Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.
Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 8b72457..2c2a62f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -38,3 +38,10 @@
allow dumpstate {
statsd
}:process signal;
+
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
diff --git a/private/installd.te b/private/installd.te
index f74843d..0553716 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -16,3 +16,7 @@
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
diff --git a/private/storaged.te b/private/storaged.te
index f5b7092..8ad872f 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -51,6 +51,9 @@
# running as root. See b/35323867 #3.
dontaudit storaged self:global_capability_class_set dac_override;
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
+
###
### neverallow
###