Ensure taking a bugreport generates no denials.

Allow dumpstate to get information about sockets and dontaudit accessing vendor files when running df. Bug: 112440280 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b

Ensure taking a bugreport generates no denials.
Allow dumpstate to get information about sockets and dontaudit accessing vendor files when running df. Bug: 112440280 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b
e9ee9d86 · Joel Galenson · f4343775 · e9ee9d86
Commit e9ee9d86 authored 6 years ago by Joel Galenson
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -264,6 +264,12 @@ allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4) have a new class for sockets
 allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;

+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# For when dumpstate runs df
+dontaudit dumpstate mnt_vendor_file:dir search;
+
 # Allow dumpstate to kill vendor dumpstate service by init
 set_prop(dumpstate, ctl_dumpstate_prop)