Allow dumpstate to acquire xtables.lock

iptables recently changed its behavior to strictly require xtables.lock. dumpstate selinux policy must be updated to allow access. Bug: 37648320 Test: dumpstate succeeds with no avc: denied ... xtables.lock messages Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd

Allow dumpstate to acquire xtables.lock
iptables recently changed its behavior to strictly require xtables.lock. dumpstate selinux policy must be updated to allow access. Bug: 37648320 Test: dumpstate succeeds with no avc: denied ... xtables.lock messages Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
ca097979 · Joel Scherpelz · f84989e5 · ca097979
Commit ca097979 authored 7 years ago by Joel Scherpelz
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@ init_daemon_domain(dumpstate)
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)

+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
 # TODO: deal with tmpfs_domain pub/priv split properly
 allow dumpstate dumpstate_tmpfs:file execute;