Allow dumpstate to run am and shell.
See http://code.google.com/p/android/issues/detail?id=65339 Further denials were observed in testing and allowed as well. Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
997680a3b7
commit
208deb3357
13
dumpstate.te
13
dumpstate.te
@ -73,3 +73,16 @@ allow dumpstate self:capability sys_ptrace;
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport
|
||||
allow dumpstate shell_data_file:dir create_dir_perms;
|
||||
allow dumpstate shell_data_file:file create_file_perms;
|
||||
|
||||
# Run a shell.
|
||||
allow dumpstate shell_exec:file rx_file_perms;
|
||||
|
||||
# For running am and similar framework commands.
|
||||
# Run /system/bin/app_process.
|
||||
allow dumpstate zygote_exec:file rx_file_perms;
|
||||
# Dalvik Compiler JIT.
|
||||
allow dumpstate ashmem_device:chr_file execute;
|
||||
allow dumpstate dumpstate_tmpfs:file execute;
|
||||
allow dumpstate self:process execmem;
|
||||
# For art.
|
||||
allow dumpstate dalvikcache_data_file:file execute;
|
||||
|
@ -104,6 +104,7 @@ binder_use(system_server)
|
||||
binder_call(system_server, binderservicedomain)
|
||||
binder_call(system_server, appdomain)
|
||||
binder_call(system_server, healthd)
|
||||
binder_call(system_server, dumpstate)
|
||||
binder_service(system_server)
|
||||
|
||||
# Read /proc/pid files for Binder clients.
|
||||
|
Loading…
Reference in New Issue
Block a user