Snap for 5742267 from bd653d8c964e403f89a1a27c82da1e501153e397 to pie-cts-release
Change-Id: I7088fad3b980d3ef49cb87ad0a611db1cfd98a34
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2c2a62f..96e9de8 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -25,6 +25,9 @@
allow dumpstate wm_trace_data_file:file r_file_perms;
')
+# Allow dumpstate to make binder calls to incidentd
+binder_call(dumpstate, incidentd)
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e1e3fc8..2fecfa2 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -6,8 +6,8 @@
domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
# use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd }:fd use;
-allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper { shell incident incidentd dumpstate }:fd use;
+allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
diff --git a/private/incidentd.te b/private/incidentd.te
index 6b248f1..0ff74f8 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -125,9 +125,9 @@
# Only incidentd can publish the binder service
add_service(incidentd, incident_service)
-# Allow pipes from (and only from) incident
-allow incidentd incident:fd use;
-allow incidentd incident:fifo_file write;
+# Allow pipes only from dumpstate and incident
+allow incidentd { dumpstate incident }:fd use;
+allow incidentd { dumpstate incident }:fifo_file write;
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
@@ -136,9 +136,10 @@
### neverallow rules
###
-# only system_server, system_app and incident command can find the incident service
+# only dumpstate, system_server, system_app and incident command can find the incident service
neverallow {
domain
+ -dumpstate
-incident
-incidentd
-statsd
diff --git a/public/domain.te b/public/domain.te
index 0dd7ce3..2685d05 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -323,6 +323,7 @@
-healthd
-uncrypt
-tee
+ -hal_bootctl_server
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 23af7da..6fdc187 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -211,7 +211,6 @@
service_manager_type
-dumpstate_service
-gatekeeper_service
- -incident_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -220,7 +219,6 @@
dontaudit dumpstate {
dumpstate_service
gatekeeper_service
- incident_service
virtual_touchpad_service
vold_service
vr_hwc_service
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 181de4a..8b240b1 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,5 +4,3 @@
add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
-
-dontaudit hal_bootctl self:capability sys_rawio;
