diff options
| -rw-r--r-- | app.te | 5 | ||||
| -rw-r--r-- | dumpstate.te | 7 | ||||
| -rw-r--r-- | su.te | 4 |
3 files changed, 12 insertions, 4 deletions
@@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process { sigkill sigstop signal }; # Transition to a non-app domain. -# Exception for the shell domain, can transition to runas, etc. -neverallow { appdomain -shell } { domain -appdomain }:process +# Exception for the shell domain and the su domain, can transition to runas, +# etc. +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process { transition dyntransition }; # Write to rootfs. diff --git a/dumpstate.te b/dumpstate.te index ad4f238..876eaca 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -6,8 +6,9 @@ init_daemon_domain(dumpstate) net_domain(dumpstate) binder_use(dumpstate) -# Drop privileges by switching UID / GID -allow dumpstate self:capability { setuid setgid }; +# Allow setting process priority, protect from OOM killer, and dropping +# privileges by switching UID / GID +allow dumpstate self:capability { setuid setgid sys_resource }; # Allow dumpstate to scan through /proc/pid for all processes r_dir_file(dumpstate, domain) @@ -119,3 +120,5 @@ allow dumpstate { }:service_manager find; allow dumpstate servicemanager:service_manager list; + +allow dumpstate devpts:chr_file rw_file_perms; @@ -12,6 +12,10 @@ userdebug_or_eng(` # additional information. domain_auto_trans(dumpstate, su_exec, su) + # Make sure that dumpstate runs the same from the "su" domain as + # from the "init" domain. + domain_auto_trans(su, dumpstate_exec, dumpstate) + # su is also permissive to permit setenforce. permissive su; |