Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b82c925d authored by Nick Kralevich's avatar Nick Kralevich
Browse files

dumpstate: call su before executing librank 

librank uses /proc/PID/pagemap . Rather than granting dumpstate
CAP_SYS_ADMIN, have librank run from the SU domain.

Addresses the following denial:

  avc: denied { sys_admin } for pid=6442 comm="librank" capability=21 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0

This also allows us to remove the setuid bit from librank,
which will be done in a different commit.

Bug: 25739721
Change-Id: Ibf20d67dbe01b95e5cbb860a7e0eb767b8beb74a
parent afc0f555

cmds/dumpstate/dumpstate.cpp

+1 −1
Original line number Diff line number Diff line
@@ -322,7 +322,7 @@ static void dumpstate() { 
    dump_file("KERNEL SYNC", "/d/sync");



    run_command("PROCESSES AND THREADS", 10, "ps", "-Z", "-t", "-p", "-P", NULL);

    run_command("LIBRANK", 10, "librank", NULL);

    run_command("LIBRANK", 10, SU_PATH, "root", "librank", NULL);



    do_dmesg();