Allow dumpstate to dump incidentd
An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.
Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
and there are no sepolicy violations.
Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e
diff --git a/private/incidentd.te b/private/incidentd.te
index 4e80bdd..ad6fbf3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -134,9 +134,9 @@
# Only incidentd can publish the binder service
add_service(incidentd, incident_service)
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
@@ -145,9 +145,10 @@
### neverallow rules
###
-# only system_server, system_app and incident command can find the incident service
+# only dumpstate, system_server, system_app and incident command can find the incident service
neverallow {
domain
+ -dumpstate
-incident
-incidentd
-statsd