am 8aaf5464: am 5ec38c49: Dumpstate runs the same from shell as service.

* commit '8aaf546402485c6b37218a077b5bb38f8634ebf9':
  Dumpstate runs the same from shell as service.

app.te

@@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, etc.
+# Exception for the shell domain and the su domain, can transition to runas,
-neverallow { appdomain -shell } { domain -appdomain }:process
+# etc.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
     { transition dyntransition };
 
 # Write to rootfs.

dumpstate.te

@@ -6,8 +6,9 @@ init_daemon_domain(dumpstate)
 net_domain(dumpstate)
 binder_use(dumpstate)
 
-# Drop privileges by switching UID / GID
+# Allow setting process priority, protect from OOM killer, and dropping
-allow dumpstate self:capability { setuid setgid };
+# privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid sys_resource };
 
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
@@ -119,3 +120,5 @@ allow dumpstate {
 }:service_manager find;
 
 allow dumpstate servicemanager:service_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;

su.te

@@ -12,6 +12,10 @@ userdebug_or_eng(`
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)
 
+  # Make sure that dumpstate runs the same from the "su" domain as
+  # from the "init" domain.
+  domain_auto_trans(su, dumpstate_exec, dumpstate)
+
   # su is also permissive to permit setenforce.
   permissive su;