From 8decca39814a87d0d70e3b4be749b3ada6ef1e8d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 6 Jan 2014 14:04:34 -0800
Subject: [PATCH] surfaceflinger: fix bugreport screenshot functionality

When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.

Addresses the following denials:

<5> type=1400 audit(1389047451.385:23): avc:  denied  { call } for  pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc:  denied  { write } for  pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be
---
 surfaceflinger.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/surfaceflinger.te b/surfaceflinger.te
index a2abf157a..a750a40f0 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -37,3 +37,7 @@ allow surfaceflinger app_data_file:file { read write };
 
 # Use open file provided by bootanim.
 allow surfaceflinger bootanim:fd use;
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+allow surfaceflinger shell_data_file:file write;
-- 
GitLab