Merge "Label /vendor/bin/hw on devices without vendor partition"
diff --git a/private/crash_dump.te b/private/crash_dump.te
deleted file mode 100644
index b3e4d9a..0000000
--- a/private/crash_dump.te
+++ /dev/null
@@ -1,4 +0,0 @@
-### HACK: Make crash_dump permissive temporarily to catch denials without breaking backtraces.
-userdebug_or_eng(`
- permissive crash_dump;
-')
diff --git a/private/file.te b/private/file.te
index 818a53d..da5f9ad 100644
--- a/private/file.te
+++ b/private/file.te
@@ -2,3 +2,6 @@
typealias audio_data_file alias audio_firmware_file;
typealias app_data_file alias platform_app_data_file;
typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index efdfb42..0c50675 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
diff --git a/public/crash_dump.te b/public/crash_dump.te
index e1327e4..a0e278a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -19,7 +19,10 @@
# Use inherited file descriptors
allow crash_dump domain:fd use;
-allow crash_dump domain:fifo_file write;
+
+# Write to the IPC pipe inherited from crashing processes.
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { write append };
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -28,6 +31,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)