From b5dd44b1ba22e47360714513bc78de6c5c23ec64 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Thu, 31 Aug 2017 14:51:19 -0700
Subject: [PATCH] Add permissions for screencap for dumpstate.
screencap domain needs additional permissions for
dumpstate to dump screenshots.
Test: adb shell cmd activity bug-report
Bug: 65206688
Change-Id: I824f345fd90d286454d570576c5888d7719c4c5c
---
private/screencap.te | 3 ++-
public/domain.te | 3 +++
public/screencap.te | 1 +
3 files changed, 6 insertions(+), 1 deletion(-)
create mode 100644 public/screencap.te
diff --git a/private/screencap.te b/private/screencap.te
index 764880f55..d6bf489a9 100644
--- a/private/screencap.te
+++ b/private/screencap.te
@@ -1,4 +1,3 @@
-type screencap, domain;
type screencap_exec, exec_type, file_type;
typeattribute screencap coredomain;
@@ -35,6 +34,8 @@ allow screencap mnt_user_file:dir search;
allow screencap mnt_user_file:lnk_file read;
allow screencap sdcardfs:dir { search write };
allow screencap sdcardfs:file { open write };
+allow screencap shell_data_file:file create_file_perms;
+allow screencap shell_data_file:dir rw_dir_perms;
allow screencap storage_file:dir search;
allow screencap storage_file:lnk_file read;
allow screencap tmpfs:dir search;
diff --git a/public/domain.te b/public/domain.te
index f5c72cc4d..aca976c67 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -924,6 +924,7 @@ neverallow {
-dumpstate
-installd
-init
+ -screencap
-shell
-vold
} shell_data_file:dir no_w_dir_perms;
@@ -935,6 +936,7 @@ neverallow {
-dumpstate
-init
-installd
+ -screencap
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
@@ -947,6 +949,7 @@ neverallow {
-appdomain
-dumpstate
-installd
+ -screencap
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
diff --git a/public/screencap.te b/public/screencap.te
new file mode 100644
index 000000000..ad8639f0a
--- /dev/null
+++ b/public/screencap.te
@@ -0,0 +1 @@
+type screencap, domain;
--
GitLab