From 3f3d6ffb7ee98116404e4a85ad027a98b70c2331 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 15 Apr 2014 14:24:39 -0700
Subject: [PATCH] Allow system_server pstore access.

pstore contains /sys/fs/pstore/console-ramoops, which is the
replacement for /proc/last_kmsg. Both files are read by system_server
on startup. Allow access.

Addresses the following denials:

<12>[   53.836838] type=1400 audit(949060020.909:19): avc:  denied  { search } for  pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir
<12>[   53.856546] type=1400 audit(949060020.909:20): avc:  denied  { getattr } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.878425] type=1400 audit(949060020.909:21): avc:  denied  { read } for  pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.898476] type=1400 audit(949060020.909:22): avc:  denied  { open } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file

Change-Id: I7307da751961b242e68adb319da9c00192e77bbb
---
 system_server.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system_server.te b/system_server.te
index e85281cda..7a8979a90 100644
--- a/system_server.te
+++ b/system_server.te
@@ -274,6 +274,12 @@ read_logd(system_server)
 # /sys/module/lowmemorykiller/parameters/minfree
 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab