iorapd: Allow dumpstate (bugreport) to dump iorapd
Bug: 152616197
Test: adb bugreport
Change-Id: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
Merged-In: I36e3b6d847341ddd84792ccc3f2c2c620e1c3f7b
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f27d32..fd68bc7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -233,7 +233,6 @@
-apex_service
-dumpstate_service
-gatekeeper_service
- -iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -244,7 +243,6 @@
apex_service
dumpstate_service
gatekeeper_service
- iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
@@ -284,6 +282,9 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
+# Allow dumpstate to talk to iorapd over binder.
+binder_call(dumpstate, iorapd)
+
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/public/iorapd.te b/public/iorapd.te
index 4c08c72..426ecca 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -23,6 +23,9 @@
allow iorapd user_service:service_manager find;
# IPackageManagerNative
allow iorapd package_native_service:service_manager find;
+# Allow dumpstate (bugreport) to call into iorapd.
+allow iorapd dumpstate:fd use;
+allow iorapd dumpstate:fifo_file write;
# talk to batteryservice
binder_call(iorapd, healthd)
@@ -68,8 +71,8 @@
-iorapd
} { iorapd_data_file }:notdevfile_class_set *;
-# Only system_server can interact with iorapd over binder
-neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+# Only system_server and shell (for dumpsys) can interact with iorapd over binder
+neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
-healthd