From f7bfd489d2712766a183b957191fdb2d62514262 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 19 Apr 2016 08:05:44 +0900
Subject: [PATCH] Allow bugreports to dump the native netd service state.

Bug: 28251026
Change-Id: I73dce178b873d45e703896f12c10325af2ade81d
---
 dumpstate.te | 5 +++--
 netd.te      | 7 ++++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/dumpstate.te b/dumpstate.te
index 5095ecdbe..ebc0d676c 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -70,7 +70,8 @@ allow dumpstate { dm_device cache_block_device }:blk_file getattr;
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app })
+binder_call(dumpstate, { appdomain autoplay_app netd })
+
 
 # Reading /proc/PID/maps of other processes
 allow dumpstate self:capability sys_ptrace;
@@ -123,7 +124,7 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/netd.te b/netd.te
index 6864ad6e7..0d9c047a4 100644
--- a/netd.te
+++ b/netd.te
@@ -60,6 +60,7 @@ set_prop(netd, ctl_mdnsd_prop)
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
 allow netd netd_service:service_manager add;
+allow netd dumpstate:fifo_file  { getattr write };
 
 # Allow netd to call into the system server so it can check permissions.
 allow netd system_server:binder call;
@@ -90,7 +91,7 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server may interact with netd over binder
-neverallow { domain -system_server } netd_service:service_manager find;
-neverallow { domain -system_server } netd:binder call;
+# only system_server and dumpstate may interact with netd over binder
+neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
-- 
GitLab