From e9ee9d86d04f7245d7b36958a684a173c8aebe7e Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Mon, 10 Sep 2018 15:48:34 -0700
Subject: [PATCH] Ensure taking a bugreport generates no denials.

Allow dumpstate to get information about sockets and dontaudit
accessing vendor files when running df.

Bug: 112440280
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b
---
 public/dumpstate.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3b246c190..e7fa83f0c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -264,6 +264,12 @@ allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
 # newer kernels (e.g. 4.4) have a new class for sockets
 allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# For when dumpstate runs df
+dontaudit dumpstate mnt_vendor_file:dir search;
+
 # Allow dumpstate to kill vendor dumpstate service by init
 set_prop(dumpstate, ctl_dumpstate_prop)
 
-- 
GitLab