Skip to content
Snippets Groups Projects
Commit f7bfd489 authored by Lorenzo Colitti's avatar Lorenzo Colitti
Browse files

Allow bugreports to dump the native netd service state. 

Bug: 28251026
Change-Id: I73dce178b873d45e703896f12c10325af2ade81d
parent 0959aa67
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
dumpstate.te
+ 3
2
View file @ f7bfd489
...@@ -70,7 +70,8 @@ allow dumpstate { dm_device cache_block_device }:blk_file getattr; ...@@ -70,7 +70,8 @@ allow dumpstate { dm_device cache_block_device }:blk_file getattr;
# Allow dumpstate to make binder calls to any binder service # Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain) binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain autoplay_app }) binder_call(dumpstate, { appdomain autoplay_app netd })
# Reading /proc/PID/maps of other processes # Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace; allow dumpstate self:capability sys_ptrace;
...@@ -123,7 +124,7 @@ userdebug_or_eng(` ...@@ -123,7 +124,7 @@ userdebug_or_eng(`
allow dumpstate misc_logd_file:file r_file_perms; allow dumpstate misc_logd_file:file r_file_perms;
') ')
allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find; allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list; allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms; allow dumpstate devpts:chr_file rw_file_perms;
......
netd.te
+ 4
3
View file @ f7bfd489
...@@ -60,6 +60,7 @@ set_prop(netd, ctl_mdnsd_prop) ...@@ -60,6 +60,7 @@ set_prop(netd, ctl_mdnsd_prop)
# Allow netd to publish a binder service and make binder calls. # Allow netd to publish a binder service and make binder calls.
binder_use(netd) binder_use(netd)
allow netd netd_service:service_manager add; allow netd netd_service:service_manager add;
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions. # Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call; allow netd system_server:binder call;
...@@ -90,7 +91,7 @@ neverallow netd system_file:dir_file_class_set write; ...@@ -90,7 +91,7 @@ neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data # Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write; neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
# only system_server may interact with netd over binder # only system_server and dumpstate may interact with netd over binder
neverallow { domain -system_server } netd_service:service_manager find; neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
neverallow { domain -system_server } netd:binder call; neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment