)]}'
{
  "commit": "7ffeb3957c4ba60c9b3755cf6d9b409b25c6fdf3",
  "tree": "e2d68b631d1615ff629e3d12b91e8e1286b63284",
  "parents": [
    "dc44a31e26b918f21b4ed560d893a8cfe03d536b"
  ],
  "author": {
    "name": "Nikita Ioffe",
    "email": "ioffe@google.com",
    "time": "Tue Jan 03 16:12:05 2023 +0000"
  },
  "committer": {
    "name": "Nikita Ioffe",
    "email": "ioffe@google.com",
    "time": "Tue Jan 03 16:12:05 2023 +0000"
  },
  "message": "dumpstate: explicitly specify capabilities\n\nIf a service doesn\u0027t specify any capabilities in it\u0027s definition in the\n.rc file, then it will inherit all the capabilities from the init.\nAlthough whether a process can use capabilities is actually controlled\nby selinux (so inheriting all the init capabilities is not actually a\nsecurity vulnerability), it\u0027s better for defense-in-depth and just\nbookkeeping to explicitly specify the capabilities that dumpstate needs.\n\nThe list of capabilities that dumpstate is allowed to use was obtained via:\n```\n$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy\n$ sesearch --allow -s dumpstate -c capability,capability2 /tmp/selinux.policy\nallow dumpstate dumpstate:capability { chown dac_override dac_read_search fowner fsetid kill net_admin net_raw setgid setuid sys_ptrace sys_resource };\nallow dumpstate dumpstate:capability2 { block_suspend syslog };\n```\n\nNote: dumpstate can transfer in several other domains, but all of them\neither don\u0027t need any capabilities:\n```\n$ sesearch --allow -s vdc -c capability,capability2 /tmp/selinux.policy\n$ sesearch --allow -s perfetto -c capability,capability2 /tmp/selinux.policy\n$ sesearch --allow -s derive_sdk -c capability,capability2 /tmp/selinux.policy\n```\n\nBug: 249796710\nTest: atest BugreportManagerTestCases\nTest: presubmit\nChange-Id: I6f03675b60d69063c3d944b370f4a8d325cfa7f9\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "a80da4ec552e667163715735dd7e6eaab92a26cc",
      "old_mode": 33188,
      "old_path": "cmds/dumpstate/dumpstate.rc",
      "new_id": "12a7cfface923f5301bdacb6eae994233a5fb2d8",
      "new_mode": 33188,
      "new_path": "cmds/dumpstate/dumpstate.rc"
    }
  ]
}