From 75b25dd1d603e73bb213c1545dba981e0d9d8333 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Wed, 6 Apr 2016 10:22:58 -0600
Subject: [PATCH] Allow system_server to execute timeout.

We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs.  To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.

avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee
---
 system_server.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system_server.te b/system_server.te
index 8d8c30350..ac2725661 100644
--- a/system_server.te
+++ b/system_server.te
@@ -497,6 +497,9 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
 # accesses to the underlying FS.
 allow system_server media_rw_data_file:dir search;
 
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab