crash_dump: dontaudit gpu_device access

And add neverallow so that it's removed from partner policy if it was added there due to denials. Fixes: 124476401 Test: build Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
2019-02-15 10:29:38 -08:00 · 2019-02-15 10:29:38 -08:00 · 504a654983
commit 504a654983
parent ec651944a0
2 changed files with 4 additions and 1 deletions
--- a/private/bug_map
+++ b/private/bug_map
@ -1,5 +1,4 @@
 cppreopts cppreopts capability 79414024
-crash_dump gpu_device chr_file 124468495
 dnsmasq netd fifo_file 77868789
 dnsmasq netd unix_stream_socket 77868789
 init app_data_file file 77873135
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@ -1,5 +1,8 @@
 typeattribute crash_dump coredomain;

+# Crash dump does not need to access the GPU.
+dontaudit crash_dump gpu_device:chr_file *;
+
 allow crash_dump {
  domain
  -apexd
@ -41,3 +44,4 @@ neverallow crash_dump {
 }:process { signal sigstop sigkill };

 neverallow crash_dump self:process ptrace;
+neverallow crash_dump gpu_device:chr_file *;