Merge "Remove MAC capabilities from unconfined domains."
diff --git a/dumpstate.te b/dumpstate.te
index fbf9ce9..5977422 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -73,3 +73,16 @@
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate dumpstate_tmpfs:file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:file execute;
diff --git a/file.te b/file.te
index e255ae9..d6a4d56 100644
--- a/file.te
+++ b/file.te
@@ -71,7 +71,6 @@
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;
-typealias camera_data_file alias camera_calibration_file;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type;
type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/system_server.te b/system_server.te
index 06bca76..1971912 100644
--- a/system_server.te
+++ b/system_server.te
@@ -104,6 +104,7 @@
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
binder_call(system_server, healthd)
+binder_call(system_server, dumpstate)
binder_service(system_server)
# Read /proc/pid files for Binder clients.