commit eea658fdaebe49f674a9bf85ce06387f394d6ceb
author TreeHugger Robot <treehugger-gerrit@google.com> Mon Jul 10 21:22:39 2017 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Mon Jul 10 21:22:39 2017 +0000
tree 20a2165822644db8b789de614e050b954a6bd988
parent d017316f16aae3870458534c3e1720165838cacf
parent 5637587d37aa56407bf2ab708230dbecb54e3a95

Merge "Split mediaprovider from priv_app."

private/domain_deprecated.te

diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 2e3888f..6b35e1c 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -144,12 +144,10 @@
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, cgroup)
-allow domain_deprecated proc_meminfo:file r_file_perms;
 
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -sdcardd
@@ -159,7 +157,6 @@
 } proc:file r_file_perms;
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -system_server
@@ -167,7 +164,6 @@
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
-  -dumpstate
   -fingerprintd
   -healthd
   -netd
@@ -208,7 +204,6 @@
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
@@ -222,7 +217,6 @@
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
@@ -247,11 +241,4 @@
   -system_server
   -zygote
 } cgroup:lnk_file r_file_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -surfaceflinger
-  -system_server
-  -vold
-} proc_meminfo:file r_file_perms;
 ')

public/dumpstate.te

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 29a8aed..605e836 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -29,6 +29,9 @@
 not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
 allow dumpstate toolbox_exec:file rx_file_perms;
 
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
@@ -83,10 +86,19 @@
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
+
+# df for
+allow dumpstate {
+  block_device
+  cache_file
+  rootfs
+  selinuxfs
+  storage_file
+  tmpfs
+}:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
@@ -137,7 +149,8 @@
 control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
-# Read /proc and /proc/net
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
@@ -203,6 +216,9 @@
 # use /dev/ion for screen capture
 allow dumpstate ion_device:chr_file r_file_perms;
 
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
 ###
 ### neverallow rules
 ###