commit ef5e5c82d4ff437b5c942de920e8ce7e919a6053
author Jeff Sharkey <jsharkey@google.com> Mon Feb 06 14:25:48 2023 -0700
committer Jeff Sharkey <jsharkey@google.com> Fri Feb 10 14:02:35 2023 +0000
tree efaf6169af463a2666b047af108ff9d6284f0061
parent 15d5e5f1739451691d7d034a326000fff621bb88

Add dropbox entries as files to dumpstate ZIP.

Since each dropbox entry is already stored as a file on disk, include
them as-is into the dumpstate ZIP file.

The dumpsys output has already included truncated versions of all
dropbox entries for many years, and adding them as separate files
inside the dumpstate ZIP will speed up debugging and issue triage.

Bug: 267673062
Test: manual
Change-Id: I6e83dd01221f43bb2e2efc1a12368db30a545c71

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 00936b8..c888125 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -218,8 +218,18 @@
 
 # System_server owns dropbox data, and init creates/restorecons the directory
 # Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+neverallow {
+  domain
+  -init
+  -system_server
+  userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:dir *;
+neverallow {
+  domain
+  -init
+  -system_server
+  userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:file ~{ getattr read };
 
 ###
 # Services should respect app sandboxes
@@ -739,4 +749,4 @@
 neverallow { domain -init } mtectrl:process { dyntransition transition };
 
 # For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
\ No newline at end of file
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;

private/dumpstate.te

diff --git a/private/dumpstate.te b/private/dumpstate.te
index fe442b3..850b0d8 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,6 +27,12 @@
   allow dumpstate wm_trace_data_file:file r_file_perms;
 ')
 
+# /data/system/dropbox for dropbox entries
+userdebug_or_eng(`
+  allow dumpstate dropbox_data_file:dir r_dir_perms;
+  allow dumpstate dropbox_data_file:file r_file_perms;
+')
+
 # Allow dumpstate to make binder calls to incidentd
 binder_call(dumpstate, incidentd)