Fix selinux denials for incidentd
This is to fix selinux denials on incident-helper-cmd.
incident-helper-cmd is a Java program spawn from app_process. There are
currently some selinux denials because app_process tries to read boot
flags, read dalvik cache, run JIT and exec from JIT cache.
This change:
- allows incidentd to read the runtime feature flag properties. This is
a normal behavior during app_process startup
- allows incidentd to lock a few java libraries under
/apex/com.android.art. Again, this is normal when ART starts
- mutes denial of writing to and exec from dalvik cache / JIT cache
Fixes: 149011438
Test: Run $ incident 1116, and verify there's no selinux denial
Change-Id: I95a6b93e6a5510c749bebe7ecbcab9a803be0801
diff --git a/private/incidentd.te b/private/incidentd.te
index 45499fc..8924d83 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -131,14 +131,21 @@
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Access /data/misc/logd
-allow incidentd misc_logd_file:dir r_dir_perms;
-allow incidentd misc_logd_file:file r_file_perms;
+r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
