dumpstate: call su before executing librank librank uses /proc/PID/pagemap . Rather than granting dumpstate CAP_SYS_ADMIN, have librank run from the SU domain. Addresses the following denial: avc: denied { sys_admin } for pid=6442 comm="librank" capability=21 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0 This also allows us to remove the setuid bit from librank, which will be done in a different commit. Bug: 25739721 Change-Id: Ibf20d67dbe01b95e5cbb860a7e0eb767b8beb74a

commit: b82c925d3cd54d5eff9f4f9e6d5aeb41f75365f5 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Nov 27 17:56:13 2015 -0800
committer: Nick Kralevich <nnk@google.com> Fri Nov 27 17:56:13 2015 -0800
tree: a37416060d3d3417413a175e34fde700bf35b049
parent: afc0f5551d7d886bb853fe0d27d50f1e4811ce9a [diff] [blame]
diff --git a/cmds/dumpstate/dumpstate.cpp b/cmds/dumpstate/dumpstate.cpp
index 4703c2f..b5931d7 100644
--- a/cmds/dumpstate/dumpstate.cpp
+++ b/cmds/dumpstate/dumpstate.cpp

@@ -322,7 +322,7 @@
     dump_file("KERNEL SYNC", "/d/sync");
 
     run_command("PROCESSES AND THREADS", 10, "ps", "-Z", "-t", "-p", "-P", NULL);
-    run_command("LIBRANK", 10, "librank", NULL);
+    run_command("LIBRANK", 10, SU_PATH, "root", "librank", NULL);
 
     do_dmesg();
commit	b82c925d3cd54d5eff9f4f9e6d5aeb41f75365f5	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Nov 27 17:56:13 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Fri Nov 27 17:56:13 2015 -0800
tree	a37416060d3d3417413a175e34fde700bf35b049
parent	afc0f5551d7d886bb853fe0d27d50f1e4811ce9a [diff] [blame]