Dumpstate: cleanup denial logspam
Dumpstate lists all services and then enumerates over them. Suppress
"find" denials for services which dumpstate is neverallowed access
to.
Dumpstate includes the kernel command line in bug reports. Grant access
to /proc/cmdline.
Test: build. Run adb bugreport.
Change-Id: I89b546c728a034638f9257c6cf93366d99a10762
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d9290..a814f16 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@
-vold_service
-vr_hwc_service
}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;