From 208deb335719280c11ab0e6aa033bfd33629320a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 29 Jan 2014 14:56:41 -0500
Subject: [PATCH] Allow dumpstate to run am and shell.

See http://code.google.com/p/android/issues/detail?id=65339

Further denials were observed in testing and allowed as well.

Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 dumpstate.te     | 13 +++++++++++++
 system_server.te |  1 +
 2 files changed, 14 insertions(+)

diff --git a/dumpstate.te b/dumpstate.te
index fbf9ce923..597742281 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -73,3 +73,16 @@ allow dumpstate self:capability sys_ptrace;
 # /data/data/com.android.shell/files/bugreports/bugreport
 allow dumpstate shell_data_file:dir create_dir_perms;
 allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate dumpstate_tmpfs:file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:file execute;
diff --git a/system_server.te b/system_server.te
index 06bca76a6..19719124f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -104,6 +104,7 @@ binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
 binder_call(system_server, healthd)
+binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Read /proc/pid files for Binder clients.