From f821b5a7977102a417b32f358bf87d1e0cdeb06d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 27 May 2014 16:49:59 -0700
Subject: [PATCH] allow shell dmesg

Allow the shell user to see the dmesg output. This data is already
available via "adb bugreport", but isn't easy to access.

Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
---
 app.te         | 4 +++-
 shelldomain.te | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 8318b1621..296a53647 100644
--- a/app.te
+++ b/app.te
@@ -318,7 +318,9 @@ neverallow { appdomain -unconfineddomain }
 
 # Access to syslog(2) or /proc/kmsg.
 neverallow { appdomain -system_app -unconfineddomain }
-    kernel:system { syslog_read syslog_mod syslog_console };
+    kernel:system { syslog_mod syslog_console };
+neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+    kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
diff --git a/shelldomain.te b/shelldomain.te
index 0a8642656..3dd0941f4 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -32,3 +32,6 @@ allow shelldomain powerctl_prop:property_service set;
 # Directory read access and file write access is already granted
 # in domain.te.
 allow shelldomain debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shelldomain kernel:system syslog_read;
-- 
GitLab