tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Grant dumpstate append to app_data_file_type

Browse source 
dumpstate may be executed by apps in different domains. Notably, a
system_app needs to be able to save the output in its own directory.

  avc:  denied  { append } for comm="binder:575_1" dev="dm-50"
  ino=10712 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:system_app_data_file:s0 tclass=file

Using the app_data_file_type attribute to capture all the potential app
data types. For info, the current Cuttlefish policy has:

  $ seinfo -x -a app_data_file_type cf_policy
    attribute app_data_file_type;
        app_data_file
        bluetooth_data_file
        nfc_data_file
        privapp_data_file
        radio_data_file
        sdk_sandbox_data_file
        shell_data_file
        storage_area_app_dir
        storage_area_content_file
        storage_area_dir
        system_app_data_file

Test: bugreport
Change-Id: I7685c1fcdb3896c44fe44008b1b262c3f1e90a01
This commit is contained in:
Thiébaud Weksteen 2024-05-15 10:43:45 +10:00
parent fff886e374
commit 76f7261d14
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/dumpstate.te
View file

@ -195,7 +195,7 @@ allow dumpstate anr_data_file:file create_file_perms;
allow dumpstate system_data_file:file r_file_perms; allow dumpstate system_data_file:file r_file_perms;
# Allow dumpstate to append into apps' private files. # Allow dumpstate to append into apps' private files.
allow dumpstate { privapp_data_file app_data_file }:file append; allow dumpstate app_data_file_type:file append;
# Read dmesg # Read dmesg
allow dumpstate self:global_capability2_class_set syslog; allow dumpstate self:global_capability2_class_set syslog;