From 8666bf25cf5de7c0bddfe858342dabfeea5ff823 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 22 Jan 2016 09:29:00 -0800
Subject: [PATCH] Allow access to /dev/ion and proc_net dir.

Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38
---
 app.te    | 2 ++
 domain.te | 1 +
 2 files changed, 3 insertions(+)

diff --git a/app.te b/app.te
index b03355f9e..01de57fd2 100644
--- a/app.te
+++ b/app.te
@@ -204,6 +204,8 @@ use_keystore({ appdomain -isolated_app })
 
 allow appdomain console_device:chr_file { read write };
 
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/domain.te b/domain.te
index 2aba7e31d..c5296c4f2 100644
--- a/domain.te
+++ b/domain.te
@@ -23,6 +23,7 @@ allow domain self:process {
 };
 allow domain self:fd use;
 allow domain proc:dir search;
+allow domain proc_net:dir search;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
 allow domain self:{ fifo_file file } rw_file_perms;
-- 
GitLab