From 76f7261d1411d0e0a5e243b9c6f8d9d8e612b739 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Wed, 15 May 2024 10:43:45 +1000
Subject: [PATCH] Grant dumpstate append to app_data_file_type

dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.

  avc:  denied  { append } for comm="binder:575_1" dev="dm-50"
  ino=10712 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:system_app_data_file:s0 tclass=file

Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:

  $ seinfo -x -a app_data_file_type cf_policy
    attribute app_data_file_type;
        app_data_file
        bluetooth_data_file
        nfc_data_file
        privapp_data_file
        radio_data_file
        sdk_sandbox_data_file
        shell_data_file
        storage_area_app_dir
        storage_area_content_file
        storage_area_dir
        system_app_data_file

Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
---
 private/dumpstate.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/dumpstate.te b/private/dumpstate.te
index bccbafdd0..2d7a1c920 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -195,7 +195,7 @@ allow dumpstate anr_data_file:file create_file_perms;
 allow dumpstate system_data_file:file r_file_perms;
 
 # Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
+allow dumpstate app_data_file_type:file append;
 
 # Read dmesg
 allow dumpstate self:global_capability2_class_set syslog;