From 57955712d08a60c17458ec34f584d37a7be9eaf0 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Mar 2014 10:36:24 -0400
Subject: [PATCH] Allow surfaceflinger to read /proc/pid/cmdline of dumpstate.

Resolves denials such as:
avc:  denied  { open } for  pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file

This seems harmless, although I am unclear as to why/where it occurs.
Likely just for logging/debugging.

Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 surfaceflinger.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/surfaceflinger.te b/surfaceflinger.te
index cb67855ba..5ecfd1832 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -50,6 +50,7 @@ allow surfaceflinger bootanim:fd use;
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
-- 
GitLab