SEPolicy: Allow app / system_server to write to dumpstate pipes. tombstoned allows dumpstate to install "intercepts" to java trace requests for a given process. When an "intercept" is installed, all trace output is redirected to a pipe provided by dumpstate instead of the default location (usually in /data/anr or /data/tombstone). Note that these processes are already granted "write" and "getattr" on dumpstate:fifo_file in order to communicate with dumpstate; this change adds "append" to the existing set of permissions. Bug: 32064548 Test: manual Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c

commit: a34781ae1578302f2b9b6c9cd109453448db6279 [log] [tgz]
author: Narayan Kamath <narayan@google.com> Tue May 30 17:52:46 2017 +0100
committer: Narayan Kamath <narayan@google.com> Wed May 31 11:45:39 2017 +0000
tree: 7383298a3b0efae6b88aac6e2d05c3f098154322
parent: e628cb5b2d1a57b45e436535a7e93fe82793aede [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index d12671b..849ce0a 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -315,9 +315,11 @@
 # domain socket.
 #
 # Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces.
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
 allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
 
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.
commit	a34781ae1578302f2b9b6c9cd109453448db6279	[log] [tgz]
author	Narayan Kamath <narayan@google.com>	Tue May 30 17:52:46 2017 +0100
committer	Narayan Kamath <narayan@google.com>	Wed May 31 11:45:39 2017 +0000
tree	7383298a3b0efae6b88aac6e2d05c3f098154322
parent	e628cb5b2d1a57b45e436535a7e93fe82793aede [diff] [blame]