SEPolicy: Allow app / system_server to write to dumpstate pipes.

am: a34781ae15

Change-Id: Ic4103ff418e69f000198bb588f0cfccc578ba324

private/app.te

@@ -121,9 +121,13 @@ allow appdomain anr_data_file:file { open append };
 # domain socket.
 #
 # Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces.
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
 unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
 allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;

private/system_server.te

@@ -315,9 +315,11 @@ allow system_server anr_data_file:file create_file_perms;
 # domain socket.
 #
 # Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces.
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
 allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
 
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.