From 46d5345bc9ec0e32a7022452fb24bfebfe1da863 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Mon, 13 Mar 2023 14:10:45 +0800
Subject: [PATCH] enforce hal_dumpstate_default

Bug: 266035810
Test: adb bugreport
Change-Id: Iec0d9b7d5d9327dd7ca96ab7f4c1a26c3fde6a3e
---
 tracking_denials/hal_dumpstate_default.te | 24 -----------------------
 vendor/hal_dumpstate_default.te           |  5 +++++
 2 files changed, 5 insertions(+), 24 deletions(-)
 delete mode 100644 tracking_denials/hal_dumpstate_default.te
 create mode 100644 vendor/hal_dumpstate_default.te

diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
deleted file mode 100644
index 551517ad..00000000
--- a/tracking_denials/hal_dumpstate_default.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# b/259302023
-dontaudit hal_dumpstate_default file_type:file *;
-dontaudit hal_dumpstate_default fs_type:file *;
-dontaudit hal_dumpstate_default file_type:dir *;
-dontaudit hal_dumpstate_default fs_type:dir *;
-dontaudit hal_dumpstate_default property_type:file *;
-# b/261933251
-dontaudit hal_dumpstate_default hal_dumpstate_default:lockdown { integrity };
-dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr };
-dontaudit hal_dumpstate_default logbuffer_device:chr_file { open };
-dontaudit hal_dumpstate_default logbuffer_device:chr_file { read };
-dontaudit hal_dumpstate_default vndbinder_device:chr_file { ioctl };
-dontaudit hal_dumpstate_default vndbinder_device:chr_file { map };
-dontaudit hal_dumpstate_default vndbinder_device:chr_file { open };
-dontaudit hal_dumpstate_default vndbinder_device:chr_file { read };
-dontaudit hal_dumpstate_default vndbinder_device:chr_file { write };
-# b/262178702
-dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
-dontaudit hal_dumpstate_default vndservicemanager:binder { call };
-# b/264489795
-userdebug_or_eng(`
-  permissive hal_dumpstate_default;
-')# b/264972626
-dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
new file mode 100644
index 00000000..3e4db459
--- /dev/null
+++ b/vendor/hal_dumpstate_default.te
@@ -0,0 +1,5 @@
+allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
+allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
+allow hal_dumpstate_default shell_data_file:file getattr;
+