crash_dump: dontaudit gpu_device access And add neverallow so that it's removed from partner policy if it was added there due to denials. Fixes: 124476401 Test: build Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05

commit: 504a654983ea7cc702e06120f66ebdb6f16ab6a6 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Feb 15 10:29:38 2019 -0800
committer: Jeffrey Vander Stoep <jeffv@google.com> Mon Feb 18 21:06:42 2019 +0000
tree: d35e0de8828acc3997eeb3f982d3aeee845df41b
parent: ec651944a04551578080b8f49fb0286d9c16f891 [diff]
diff --git a/private/bug_map b/private/bug_map
index ae7b695..a5fdb74 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -1,5 +1,4 @@
 cppreopts cppreopts capability 79414024
-crash_dump gpu_device chr_file 124468495
 dnsmasq netd fifo_file 77868789
 dnsmasq netd unix_stream_socket 77868789
 init app_data_file file 77873135

diff --git a/private/crash_dump.te b/private/crash_dump.te
index bb13bff..fd2e4b6 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te

@@ -1,5 +1,8 @@
 typeattribute crash_dump coredomain;
 
+# Crash dump does not need to access the GPU.
+dontaudit crash_dump gpu_device:chr_file *;
+
 allow crash_dump {
   domain
   -apexd
@@ -41,3 +44,4 @@
 }:process { signal sigstop sigkill };
 
 neverallow crash_dump self:process ptrace;
+neverallow crash_dump gpu_device:chr_file *;
commit	504a654983ea7cc702e06120f66ebdb6f16ab6a6	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Feb 15 10:29:38 2019 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Mon Feb 18 21:06:42 2019 +0000
tree	d35e0de8828acc3997eeb3f982d3aeee845df41b
parent	ec651944a04551578080b8f49fb0286d9c16f891 [diff]