c0d14767e6
dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.
Addresses the following denial:
<4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0
Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
24 lines
622 B
Plaintext
24 lines
622 B
Plaintext
# vdc spawned from init for the following services:
|
|
# defaultcrypto
|
|
# encrypt
|
|
#
|
|
# We also transition into this domain from dumpstate, when
|
|
# collecting bug reports.
|
|
|
|
type vdc, domain;
|
|
type vdc_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(vdc)
|
|
|
|
unix_socket_connect(vdc, vold, vold)
|
|
|
|
# vdc sends information back to dumpstate when "adb bugreport" is used
|
|
allow vdc dumpstate:fd use;
|
|
allow vdc dumpstate:unix_stream_socket { read write getattr };
|
|
|
|
# vdc information is written to shell owned bugreport files
|
|
allow vdc shell_data_file:file { write getattr };
|
|
|
|
# Why?
|
|
allow vdc dumpstate:unix_dgram_socket { read write };
|