allow shell dmesg
Allow the shell user to see the dmesg output. This data is already
available via "adb bugreport", but isn't easy to access.
Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
diff --git a/app.te b/app.te
index 8318b16..296a536 100644
--- a/app.te
+++ b/app.te
@@ -318,7 +318,9 @@
# Access to syslog(2) or /proc/kmsg.
neverallow { appdomain -system_app -unconfineddomain }
- kernel:system { syslog_read syslog_mod syslog_console };
+ kernel:system { syslog_mod syslog_console };
+neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+ kernel:system syslog_read;
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
diff --git a/shelldomain.te b/shelldomain.te
index 0a86426..3dd0941 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -32,3 +32,6 @@
# Directory read access and file write access is already granted
# in domain.te.
allow shelldomain debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shelldomain kernel:system syslog_read;