Handle denials caused by taking a bugreport.
apex_service is already in the list of services dumpstate cannot find; this ensures that the dontaudit list is the same. We hide the denial caused by df reading one of its directories. dumpstate can already call all binder services, so we enable it to call bufferhubd. Bug: 116711254 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1
This commit is contained in:
Joel Galenson
parent
9a06d551c6
commit
49531c81c5
1 changed files with 5 additions and 0 deletions
|
|
@ -216,6 +216,7 @@ allow dumpstate {
|
|||
}:service_manager find;
|
||||
# suppress denials for services dumpstate should not be accessing.
|
||||
dontaudit dumpstate {
|
||||
apex_service
|
||||
dumpstate_service
|
||||
gatekeeper_service
|
||||
incident_service
|
||||
|
|
@ -272,6 +273,10 @@ allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:sock
|
|||
|
||||
# For when dumpstate runs df
|
||||
dontaudit dumpstate mnt_vendor_file:dir search;
|
||||
dontaudit dumpstate apex_mnt_dir:dir getattr;
|
||||
|
||||
# Allow dumpstate to talk to bufferhubd over binder
|
||||
binder_call(dumpstate, bufferhubd);
|
||||
|
||||
# Allow dumpstate to kill vendor dumpstate service by init
|
||||
set_prop(dumpstate, ctl_dumpstate_prop)
|
||||
|
|
|
|||
Loading…
Reference in a new issue