* commit '8aaf546402485c6b37218a077b5bb38f8634ebf9': Dumpstate runs the same from shell as service.
This commit is contained in:
Christopher Ferris
Android Git Automerger
commit
a9ff322077
3 changed files with 12 additions and 4 deletions
5
app.te
5
app.te
|
|
@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process
|
|||
{ sigkill sigstop signal };
|
||||
|
||||
# Transition to a non-app domain.
|
||||
# Exception for the shell domain, can transition to runas, etc.
|
||||
neverallow { appdomain -shell } { domain -appdomain }:process
|
||||
# Exception for the shell domain and the su domain, can transition to runas,
|
||||
# etc.
|
||||
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
|
||||
{ transition dyntransition };
|
||||
|
||||
# Write to rootfs.
|
||||
|
|
|
|||
|
|
@ -6,8 +6,9 @@ init_daemon_domain(dumpstate)
|
|||
net_domain(dumpstate)
|
||||
binder_use(dumpstate)
|
||||
|
||||
# Drop privileges by switching UID / GID
|
||||
allow dumpstate self:capability { setuid setgid };
|
||||
# Allow setting process priority, protect from OOM killer, and dropping
|
||||
# privileges by switching UID / GID
|
||||
allow dumpstate self:capability { setuid setgid sys_resource };
|
||||
|
||||
# Allow dumpstate to scan through /proc/pid for all processes
|
||||
r_dir_file(dumpstate, domain)
|
||||
|
|
@ -119,3 +120,5 @@ allow dumpstate {
|
|||
}:service_manager find;
|
||||
|
||||
allow dumpstate servicemanager:service_manager list;
|
||||
|
||||
allow dumpstate devpts:chr_file rw_file_perms;
|
||||
|
|
|
|||
4
su.te
4
su.te
|
|
@ -12,6 +12,10 @@ userdebug_or_eng(`
|
|||
# additional information.
|
||||
domain_auto_trans(dumpstate, su_exec, su)
|
||||
|
||||
# Make sure that dumpstate runs the same from the "su" domain as
|
||||
# from the "init" domain.
|
||||
domain_auto_trans(su, dumpstate_exec, dumpstate)
|
||||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue