From 77a236c9095db4bbfcffa8def9a719ef4af87987 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 1 Aug 2014 10:15:24 -0400
Subject: [PATCH] Allow dumpstate to dump backtraces of certain native
 processes.

The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.

Resolves denials such as:
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd

Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 dumpstate.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dumpstate.te b/dumpstate.te
index 481febad2..e6128e936 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,6 +48,8 @@ allow dumpstate { appdomain system_server }:process signal;
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
 allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+# Ask debuggerd for the backtraces of these processes.
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
-- 
GitLab