From 839c7ded30ddab5a8e4d4f9b182fe2b6cbb85738 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 29 Nov 2016 13:54:56 -0800
Subject: [PATCH] dumpstate: talk to vibrator hal

Bug: 33067126
Test: Dumpstate vibrator works.
Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
---
 public/dumpstate.te | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 24e345eb3..77bb08286 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -79,11 +79,6 @@ allow dumpstate {
   surfaceflinger
 }:debuggerd dump_backtrace;
 
-# Vibrate the device after we're done collecting the bugreport
-# /sys/class/timed_output/vibrator/enable
-# TODO: create a new file class, instead of allowing write access to all of /sys
-allow dumpstate sysfs:file w_file_perms;
-
 # TODO: added to match above sysfs rule. Remove me?
 allow dumpstate sysfs_usb:file w_file_perms;
 
@@ -102,6 +97,13 @@ r_dir_file(dumpstate, cgroup)
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
 
+# Vibrate the device after we are done collecting the bugreport
+# For binderized mode:
+binder_call(dumpstate, hal_vibrator)
+binder_call(dumpstate, hwservicemanager)
+# For passthrough mode:
+allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
+
 # Reading /proc/PID/maps of other processes
 allow dumpstate self:capability sys_ptrace;
 
@@ -210,3 +212,7 @@ neverallow { domain -dumpstate } dumpstate_service:service_manager add;
 
 # only system_server and shell can find the dumpstate service
 neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
+
+# Dumpstate should not be writing to any generically labeled sysfs files.
+# Create a specific label for the file type
+neverallow dumpstate sysfs:file no_w_file_perms;
-- 
GitLab