commit fd8f305bd3c5382477d43c8f52bd3ef02ebcb20f
author William Roberts <william.c.roberts@intel.com> Wed May 03 10:26:40 2017 -0700
committer William Roberts <william.c.roberts@intel.com> Wed May 03 10:40:18 2017 -0700
tree ce4bad7d099c8806b224d5950a78617ffc907d39
parent 7f4b2ad58419ca876fb5cc5df9d8c1f81ca86058

storaged: add permissions for dumpstate

The service "storaged" implememnts a dump() interface for
dumpsys, and thus it needs to write its state to the fd
provided by dumpstate.

To correct this, and fix dumpstate, allow the permission.

Fixes:
avc: denied { use } for pid=3298 comm="dumpsys" path="pipe:[33470]" dev="pipefs" ino=33470 scontext=u:r:storaged:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0

Test:
With a device that has storaged, issue the command:
$ adb shell dumpstate

Change-Id: I515e20f0328b6edc01ea2a7c53b1d3c4ca0e72ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

private/storaged.te

diff --git a/private/storaged.te b/private/storaged.te
index 698999f..bf13a15 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -35,6 +35,9 @@
 allow storaged batteryproperties_service:service_manager find;
 binder_call(storaged, healthd)
 
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
 dontaudit storaged self:capability dac_override;