<allow own="org.tizen.system.diagnostics"/>
</policy>
<policy group="priv_livecoredump">
- <!-- following section also permits applications with
- "http://tizen.org/privilege/internal/livecoredump"
- privilege, due to privilege -> gid mapping being used -->
+ <!-- Following section is for services wanting to use livedump api.
+ Thoretically, the <policy group=..> should be enough to support
+ both service and application case. However, this does not work
+ in practice due to dbus-daemon getting group membership from
+ static source (via getgrouplist), while in Tizen it's dynamic,
+ assigned to application by security-manager. Dbus-daemon would
+ need to use SO_PEERGROUP socket option for this to work, but it's
+ supported only in kernels >= 4.13. -->
<allow send_destination="org.tizen.system.crash.livedump"
send_interface="org.tizen.system.crash.livedump"
send_member="livedump_pid"/>
<deny own="org.tizen.system.diagnostics"/>
<deny send_destination="org.tizen.system.diagnostics"/>
+
+ <check send_destination="org.tizen.system.crash.livedump"
+ send_interface="org.tizen.system.crash.livedump"
+ send_member="livedump_pid"
+ privilege="http://tizen.org/privilege/internal/livecoredump"/>
+
<check send_destination="org.tizen.system.diagnostics"
send_interface="org.tizen.system.diagnostics"
send_member="get_file"