ss_ramdump: start enforcing SELinux rules and fix denials

Remove the permissive line and start enforcing SELinux rules
for the ss_ramdump process.

Also addresses the following denials:

  type=1400 audit(1021853.259:5): avc: denied { read } for pid=349 comm="subsystem_ramdu" name="ramdump_vpu" dev="tmpfs" ino=9185 scontext=u:r:ss_ramdump:s0 tcontext=u:object_r:ramdump_device:s0 tclass=chr_file permissive=0
  type=1400 audit(0.0:60): avc: denied { dac_override } for comm="subsystem_ramdu" capability=1 scontext=u:r:ss_ramdump:s0 tcontext=u:r:ss_ramdump:s0 tclass=capability permissive=1
  type=1400 audit(0.0:61): avc: denied { write } for comm="subsystem_ramdu" name="tombstones" dev="dm-0" ino=2714433 scontext=u:r:ss_ramdump:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir permissive=1
  type=1400 audit(0.0:62): avc: denied { add_name } for comm="subsystem_ramdu" name="ramdump_venus.elf" scontext=u:r:ss_ramdump:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir permissive=1
  type=1400 audit(0.0:63): avc: denied { create } for comm="subsystem_ramdu" name="ramdump_venus.elf" scontext=u:r:ss_ramdump:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file permissive=1
  type=1400 audit(0.0:64): avc: denied { write open } for comm="subsystem_ramdu" path="/data/tombstones/ramdump_venus.elf" dev="dm-0" ino=2714442 scontext=u:r:ss_ramdump:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file permissive=1

Bug: 16319212
Change-Id: If9997afba49903c474d053d1b896a1b640192a2e

1 files changed, 1 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index cb792141..75996dcb 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -42,6 +42,7 @@
 # Should only be on userdebug device
 /dev/diag                       u:object_r:diag_device:s0
 /dev/ttydiag2                   u:object_r:diag_device:s0
+/dev/ramdump_.*                 u:object_r:ramdump_device:s0
 
 # MSM camera related
 /dev/media([0-9])+              u:object_r:camera_device:s0