Fix pid_max denials from dumpstate, incidentd
The dumpstate and incidentd contexts may call on to toybox tools like
"ps" and "top" which are now reading /proc/sys/kernel/pid_max.
Fixes denials like:
avc: denied { read } for comm="top" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
Bug: 171070708
Bug: 172703374
Bug: 174618269
Change-Id: Ief5662c6d484e966bd1ba7134eddfabb3f7ad0e4
diff --git a/private/incidentd.te b/private/incidentd.te
index f10173b..0731dec 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -67,6 +67,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;