Allow dumpstate to dump backtraces of certain native processes.

The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.

Resolves denials such as:
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd

Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 2 insertions, 0 deletions

diff --git a/dumpstate.te b/dumpstate.te
index 481feba..e6128e9 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,6 +48,8 @@ allow dumpstate { appdomain system_server }:process signal;
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
 allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+# Ask debuggerd for the backtraces of these processes.
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)