Allow lpdumpd to read Virtual A/B diagnostics. Give lpdump read (but not write) access to /metadata/ota so it can call SnapshotManager::Dump for diagnostics. Bug: 291083311 Test: lpdump Change-Id: I732bcebcd809449c86254ea23785dc2c692bedd5

commit: e6ad1f2e4c1f4557a07139cbef259eaf67000ecd [log] [tgz]
author: David Anderson <dvander@google.com> Fri Jul 14 09:07:18 2023 -0700
committer: David Anderson <dvander@google.com> Fri Jul 14 09:08:56 2023 -0700
tree: b8fa6a79cbbd3646b6cbb32741d04a377012ab11
parent: 49fa8f5fe6c805d7d435f6ff6d1186d82ceadf01 [diff]
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..09ba079 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te

@@ -18,6 +18,16 @@
 allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
 read_fstab(lpdumpd)
 
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
 ### Neverallow rules
 
 # Disallow other domains to get lpdump_service and call lpdumpd.
commit	e6ad1f2e4c1f4557a07139cbef259eaf67000ecd	[log] [tgz]
author	David Anderson <dvander@google.com>	Fri Jul 14 09:07:18 2023 -0700
committer	David Anderson <dvander@google.com>	Fri Jul 14 09:08:56 2023 -0700
tree	b8fa6a79cbbd3646b6cbb32741d04a377012ab11
parent	49fa8f5fe6c805d7d435f6ff6d1186d82ceadf01 [diff]