From 5c41d40ecd3558d44861374c1c490676a224b488 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 28 Jul 2017 16:04:21 -0700
Subject: [PATCH] system_server: allow writing to timerslack_ns

The only file in /proc/<pid>/ that is world writeable is
/proc/<pid>/timerslack_ns so granting selinux write permission to
a process's /proc/<pid>/ file only allows writing to timerslack_ns
(unless the process is running as system UID).

Addresses denials such as:
avc: denied { write } for comm="Binder:1117_2" name="timerslack_ns"
dev="proc" ino=27908 scontext=u:r:system_server:s0
tcontext=u:r:priv_app:s0 tclass=file permissive=1

Bug: 30675296
Test: build
Change-Id: I2cee8ce73a0dc05d771881c36da2fde5411859fb
---
 private/system_server.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/private/system_server.te b/private/system_server.te
index 6dbf03782..1091ffac8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -106,7 +106,9 @@ allow system_server hal_camera:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
 allow system_server bootanim:process { getsched setsched };
 
-# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
+# Allow system_server to write to /proc/<pid>/timerslack_ns
+allow system_server appdomain:file w_file_perms;
+allow system_server audioserver:file w_file_perms;
 allow system_server cameraserver:file w_file_perms;
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-- 
GitLab