Allow surfaceflinger to read /proc/pid/cmdline of dumpstate.

Resolves denials such as: avc: denied { open } for pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file This seems harmless, although I am unclear as to why/where it occurs. Likely just for logging/debugging. Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow surfaceflinger to read /proc/pid/cmdline of dumpstate.
Resolves denials such as: avc: denied { open } for pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file This seems harmless, although I am unclear as to why/where it occurs. Likely just for logging/debugging. Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
57955712 · Stephen Smalley · 01ba6834 · 57955712
Commit 57955712 authored 11 years ago by Stephen Smalley
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -50,6 +50,7 @@ allow surfaceflinger bootanim:fd use;
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)

 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.