From 82fc3b524164588388aa3595bd2158020d93d28a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 6 Dec 2013 13:31:16 -0800
Subject: [PATCH] Allow app-app communication via pipes

Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.

  STEPS TO REPRODUCE:
  1. Launch Chrome
  2. From menu tap print and observe
        OR
  1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
  2. Select print

Addresses the following denials:

<5>[  122.352797] type=1400 audit(1386363998.374:18): avc:  denied  { write } for  pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248363] type=1400 audit(1386363999.264:19): avc:  denied  { getattr } for  pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248620] type=1400 audit(1386363999.264:20): avc:  denied  { write } for  pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file

Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c
---
 app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app.te b/app.te
index 6e95ffb40..cf918a17c 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,9 @@ allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
 binder_call(appdomain, system_server)
 
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 binder_call(appdomain, surfaceflinger)
-- 
GitLab