From d2f3d18fcd9f7ecb275f9cfb29463c5617396192 Mon Sep 17 00:00:00 2001
From: Bookatz <bookatz@google.com>
Date: Mon, 5 Nov 2018 15:01:39 -0800
Subject: [PATCH] Incidentd gets statsd incident section

There is now an incident section for statsd output data. These selinux
changes must be made for incident to call dump on statsd to get the
data.

Bug: 115678461
Test: adb shell incident -b 3023
and confirm that a valid statsd section is obtained

Change-Id: I761389c160ab3ab6c24556813a1a31088c0f5137
---
 private/incidentd.te | 4 ++++
 private/stats.te     | 2 +-
 private/statsd.te    | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/private/incidentd.te b/private/incidentd.te
index 7ad3a30c2..658db0710 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -45,6 +45,10 @@ allow incidentd sysfs_batteryinfo:file r_file_perms;
 userdebug_or_eng(`allow incidentd pstorefs:dir search');
 userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
 
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
 # Create and write into /data/misc/incidents
 allow incidentd incident_data_file:dir rw_dir_perms;
 allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/stats.te b/private/stats.te
index 818d9f9d3..2c7199df9 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -37,10 +37,10 @@ binder_call(statsd, stats)
 ### neverallow rules
 ###
 
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
 neverallow {
   domain
   -dumpstate
+  -incidentd
   -priv_app
   -shell
   -stats
diff --git a/private/statsd.te b/private/statsd.te
index 1e4c5b392..16d3aebad 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -14,3 +14,6 @@ domain_auto_trans(statsd, perfetto_exec, perfetto)
 allow statsd {
   statscompanion_service
 }:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
-- 
GitLab