Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 57955712d08a60c17458ec34f584d37a7be9eaf0^! / .
commit57955712d08a60c17458ec34f584d37a7be9eaf0[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Fri Mar 21 10:36:24 2014 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Fri Mar 21 10:36:24 2014 -0400
treedc49a4527f1b8242ae9f30b194f2375ccd0676e7
parent01ba6834c10f5839371385b224a78c04e1351202 [diff]
Allow surfaceflinger to read /proc/pid/cmdline of dumpstate.

Resolves denials such as:
avc:  denied  { open } for  pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file

This seems harmless, although I am unclear as to why/where it occurs.
Likely just for logging/debugging.

Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/surfaceflinger.te b/surfaceflinger.te
index cb67855..5ecfd18 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -50,6 +50,7 @@
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.