sepolicy: allow system server for BINDER_GET_FROZEN_INFO the new ioctl allows system server to verfiry the state of a frozen binder inderface before unfreezing a process. Bug: 143717177 Test: verified ActivityManager could access the ioctl Change-Id: Id9d90d072ce997ed20faa918ec68f1110e2bac8f

commit: 9e7e3fd55fa16a42b0cb8f255a20dd5aaf58b098 [log] [tgz]
author: Marco Ballesio <balejs@google.com> Fri Sep 11 15:41:31 2020 -0700
committer: Marco Ballesio <balejs@google.com> Fri Sep 11 15:41:31 2020 -0700
tree: ed588abb7e422515b5765bf2c86f8faa17dcb7b0
parent: e3055f979c3ae1cd028a7064faf8116e96ff8f1a [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index bd57ad8..6042fff 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1012,8 +1012,8 @@
 
 get_prop(system_server, wifi_config_prop)
 
-# Only system server can access BINDER_FREEZE
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
 
 ###
 ### Neverallow rules
@@ -1236,4 +1236,6 @@
 
 # BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
 # can be accessed by system_server only (b/143717177)
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
+# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
+# interface
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
commit	9e7e3fd55fa16a42b0cb8f255a20dd5aaf58b098	[log] [tgz]
author	Marco Ballesio <balejs@google.com>	Fri Sep 11 15:41:31 2020 -0700
committer	Marco Ballesio <balejs@google.com>	Fri Sep 11 15:41:31 2020 -0700
tree	ed588abb7e422515b5765bf2c86f8faa17dcb7b0
parent	e3055f979c3ae1cd028a7064faf8116e96ff8f1a [diff] [blame]