Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3c9b91977d4e0f06d53510429078291c08aff85c^! / .
commit3c9b91977d4e0f06d53510429078291c08aff85c[log] [tgz]
authorJosh Gao <jmgao@google.com>Wed Jul 19 17:29:43 2017 -0700
committerNick Kralevich <nnk@google.com>Thu Jul 20 01:14:16 2017 +0000
tree4eb6925deddc7772baf20b27b580a320796e3db2
parentdcec3ee905fce89317d77baf314e235036c39b69 [diff]
crash_dump_fallback: allow writing to system_server pipes.

Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201

diff --git a/public/te_macros b/public/te_macros
index 049ac8e..582cf33 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -459,8 +459,9 @@
 ')
 allow $1 anr_data_file:file append;
 allow $1 dumpstate:fd use;
-# TODO: Figure out why write is needed and remove.
+# TODO: Figure out why write is needed.
 allow $1 dumpstate:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
 allow $1 tombstoned:unix_stream_socket connectto;
 allow $1 tombstoned:fd use;
 allow $1 tombstoned_crash_socket:sock_file write;