Allow incidentd to parse persisted log Allow incidentd to run incident-helper-cmd, a Java program spawn by app_process. Allow incidentd to read /data/misc/logd and its files on userdebug and eng build. Bug: 147924172 Test: Build, flash and verify "adb shell incident -p EXPLICIT 1116" can parse persisted logs. Change-Id: Id0aa4286c304a336741ce8c0949b12ec559c2e16

commit: 08f494d200f6c438ec2cb6b125ac5f5de9402f97 [log] [tgz]
author: Mike Ma <yanmin@google.com> Fri Jan 17 19:00:16 2020 -0800
committer: Mike Ma <yanmin@google.com> Sat Jan 18 16:18:18 2020 -0800
tree: ba6a8f6cdc6447fdb3bbcf18910da90b47425291
parent: 7eca7d1e9bf534ea1e63679a6d89e6000fec8bed [diff] [blame]
diff --git a/private/incidentd.te b/private/incidentd.te
index b806f6e..45499fc 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te

@@ -128,10 +128,18 @@
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;
 
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+
 # logd access - work to be done is a PII safe log (possibly an event log?)
 userdebug_or_eng(`read_logd(incidentd)')
 # TODO control_logd(incidentd)
 
+# Access /data/misc/logd
+allow incidentd misc_logd_file:dir r_dir_perms;
+allow incidentd misc_logd_file:file r_file_perms;
+
 # Allow incidentd to find these standard groups of services.
 # Others can be whitelisted individually.
 allow incidentd {
commit	08f494d200f6c438ec2cb6b125ac5f5de9402f97	[log] [tgz]
author	Mike Ma <yanmin@google.com>	Fri Jan 17 19:00:16 2020 -0800
committer	Mike Ma <yanmin@google.com>	Sat Jan 18 16:18:18 2020 -0800
tree	ba6a8f6cdc6447fdb3bbcf18910da90b47425291
parent	7eca7d1e9bf534ea1e63679a6d89e6000fec8bed [diff] [blame]