Commit graph

127 commits

Author SHA1 Message Date
Chih-Hung Hsieh
6dc7147fb0 Remove USE_CLANG_PLATFORM_BUILD in BoardConfig.mk
Use global default USE_CLANG_PLATFORM_BUILD set in core/envsetup.mk,
or user provided environment variable USE_CLANG_PLATFORM_BUILD.

BUG: 26102335
Change-Id: I7e12219a60f36bb44797bb028b4a5873a67c9210
2016-02-04 10:55:56 -08:00
Tom Cherry
69035cd4aa Remove special case handling of "ro." properties
Currently, properties that begin with "ro." are special cased to skip
over the "ro." part of the prefix before matching with entries in
property_contexts.  A change to init is removing this special case and
therefore, the "ro." prefixes must be explicitly added to
property_contexts.

Bug 26425619

Change-Id: I735eb9fc208eeec284cda8d778db946eeec24192
2016-01-11 13:16:45 -08:00
Miroslav Tisma
36a76ec098 sepolicy: Fix 'avc denied' issues for the emulators
This commit fixes the avc denied issues in the emulators:
- goldfish_setup is granted for network access
- netd dontaudit for sys_module
- qemu_prop is granted domain for get_prop

Critical issue was that SELinux denied reading the lcd_density property
by SurfaceFlinger via qemu_prop and this commit fixes it.

Change-Id: I633d96f4d2ee6659f18482a53e21f816abde2a5f
Signed-off-by: Miroslav Tisma <miroslav.tisma@imgtec.com>
2015-12-11 16:21:00 +01:00
Mike Frysinger
db4883ca93 sepolicy: drop -- marker
It's not needed and is a bit confusing.

BUG=26018537

Change-Id: Ibb1c3995de97a442c95d5eea823523b5f0f26393
2015-12-10 18:18:27 +00:00
Griff Hazen
0517540e8d Let qemu_props service set system properties in ro.emu and ro.emulator
These boot properties are used by android wear emulator to configure
round and chin shaped devices.

Bug: 23324757
Change-Id: I812da02d771bba0ffc63b14459c7de7cbdeed142
2015-11-07 16:53:59 -08:00
Jeff Vander Stoep
7890fc4d2e selinux: Grant all processes the domain_deprecated attribute
Bug: 25433265
Change-Id: Iafad5abd6e75c5a46f844ef3e744adf1c904b362
2015-11-04 08:49:07 -08:00
Chih-Hung Hsieh
557fa2f3cd Move arm target to clang by default.
Bug: 23163853
Change-Id: I4cb95ed652ca697461e2fb22811779aa2df8d262
2015-10-27 13:42:34 -07:00
Nick Kralevich
ce1062629f allow qemu_props to set opengles.version
Addresses the following denial:

  init: avc:  denied  { set } for property=opengles.version scontext=u:r:qemu_props:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

Bug: 25148690
Change-Id: I4b197eeabfe37e794104e4e686e9e388b5bc3e0c
2015-10-21 10:55:21 -07:00
Nick Kralevich
64e4d8a211 am 35a075db: am 36d91b53: Merge "Only allow toolbox exec where /system exec was already allowed."
* commit '35a075db60bc5553b57ef3311b9643d3b04ea7da':
  Only allow toolbox exec where /system exec was already allowed.
2015-08-25 22:53:03 +00:00
Stephen Smalley
75770de701 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 11:46:12 -04:00
Ian Pedowitz
c3bc0b112c resolved conflicts for merge of e5a63158 to mnc-dev-plus-aosp
Change-Id: Ifcbf55d0f4a158602867c01546f4c0f7e668697f
2015-08-11 15:06:29 -07:00
Ian Pedowitz
4e0d34c7c7 Increasing arm(64)? emulator partition sizes to 1.5GB
Bug: 23093319
Change-Id: I5e493ef4715cee96ae6ab40d6415f5330075fad6
2015-08-11 12:53:39 -07:00
Nick Kralevich
385457dc31 am 4a5f5a7b: am a972891f: Merge "file_contexts: Label /dev/ttyS2 as console_device"
* commit '4a5f5a7b15e27ed159e2398c77de1de7f9fd4da9':
  file_contexts: Label /dev/ttyS2 as console_device
2015-07-16 19:19:20 +00:00
Miodrag Dinic
df2620ada4 file_contexts: Label /dev/ttyS2 as console_device
This fixes the issue with the emulator "-shell" option.
Init tries to open the console which is passed through
the kernel androidboot.console property, but fails to
open it because "avc" denies it. Init only has permissions
to open console_device in rw mode. This ensures that
/dev/ttyS2 is properly labeled as console_device.

Replaced tabs with spaces.

Change-Id: I9ef94576799bb724fc22f6be54f12de10ed56768
2015-07-16 20:36:07 +02:00
dcashman
19eeccdaf2 Allow init to create /mnt/sdcard symlink.
Addresses the following denial:
avc:  denied  { create } for  pid=1 comm="init" name="sdcard" scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 22084499
Change-Id: Icffef8330d07b00f36fda11374e39e0df7181ca3
2015-07-01 09:14:18 -07:00
Mark Salyzyn
9f8e1e1c7d goldfish: rename goldfish_logcat.te to logd.te
(cherrypicked from commit fd8c30177c)

Bug: 19608716
Change-Id: I5c76648a4bcbbb15a033465e8af66b12af6e0a18
2015-06-03 10:48:35 -07:00
Mark Salyzyn
94871b94ef goldfish: logcat -Q in logd domain
Deal with a build failure in conflict with cl/152105

(cherrypicked from commit 1cc7735ffa)

Bug: 19608716
Change-Id: I1078046db3b159c1baf0a22435c3e777424453a1
2015-06-03 10:47:34 -07:00
Mark Salyzyn
fd8c30177c goldfish: rename goldfish_logcat.te to logd.te
Bug: 19608716
Change-Id: I5c76648a4bcbbb15a033465e8af66b12af6e0a18
2015-06-03 09:00:14 -07:00
Mark Salyzyn
1cc7735ffa goldfish: logcat -Q in logd domain
Deal with a build failure in conflict with cl/152105

Bug: 19608716
Change-Id: I1078046db3b159c1baf0a22435c3e777424453a1
2015-06-03 07:52:21 -07:00
Yu Ning
0f54ada1cd Allow goldfish-setup to put the emulator in WiFi-only mode
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:

 setprop ro.radio.noril yes
 stop ril-daemon

so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.

This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)

(cherrypicked from commit 33dca8090f)

Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 19:46:18 -07:00
William Roberts
c434f71bd8 Update device to use set_prop() macro
(cherrypicked from commit cccc901639)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-18 19:20:03 -07:00
Yu Ning
33dca8090f Allow goldfish-setup to put the emulator in WiFi-only mode
The goldfish-setup service (essentially /system/etc/init.goldfish.sh)
executes the following commands when certain conditions are met:

 setprop ro.radio.noril yes
 stop ril-daemon

so as to stop the RIL daemon and emulate a WiFi-only device. Both would
fail, though, because goldfish-setup does not have the permissions to
set relevant properties.

This CL modifies the emulator's SELinux policy to grant the necessary
permissions. It is a step towards fixing the ril-daemon-keeps-getting-
killed-and-restarted problem with the new ("ranchu") emulator, which
does not support telephony emulation yet. (The other step is to have
init start goldfish-setup, which will be done in a seperate CL.)

Change-Id: Ice7e7898804b7353ac4a8c49d871b1b2571d7a5f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-19 08:22:41 +08:00
Yu Ning
e9ec053e99 Label /dev/ttyGF* as serial_device
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:

 init: Service 'qemud' (pid XXX) exited with status 1

Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.

(cherrypicked from commit 4783467922)

Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 09:55:07 -07:00
Yu Ning
4783467922 Label /dev/ttyGF* as serial_device
In goldfish kernel 3.10, the goldfish_tty device instantiates virtual
serial ports as /dev/ttyGF* (e.g. /dev/ttyGF0), not as /dev/ttyS* as in
goldfish kernel 3.4. However, in the emulator's SELinux security policy,
there is no specific security context assigned to /dev/ttyGF*, and the
one inherited from /dev (u:object_r:device:s0) prevents services such as
qemud and goldfish-logcat from reading and writing ttyGF*. Consequently,
qemud terminates abnormally on the classic x86_64 emulator:

 init: Service 'qemud' (pid XXX) exited with status 1

Fix this issue by assigning /dev/ttyGF* the same security context as
/dev/ttyS*.

Change-Id: Ia7394dc217bd82f566c4d1b7eda3cc8ce3ac612f
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-18 17:19:08 +08:00
Nick Kralevich
e89b6f5df1 Merge "Update device to use set_prop() macro" 2015-05-15 19:26:56 +00:00
Yu Ning
b23b5cc4a4 Label /dev/goldfish_pipe as qemu_device
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".

Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.

This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.

Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.

(cherry-pick of commit: a5053e6b35)

Change-Id: I52e75c94d3ae3758cbbf5bc0e1d84254fdf5c6cb
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-15 07:44:28 -07:00
Yu Ning
a5053e6b35 Label /dev/goldfish_pipe as qemu_device
In goldfish kernel 3.10, qemu_pipe has been renamed to goldfish_pipe.
However, in the emulator's SELinux policy, there is no specific security
context assigned to /dev/goldfish_pipe, and the one inherited from /dev
(u:object_r:device:s0) prevents various processes (qemud, qemu-props,
etc.) from reading and writing goldfish_pipe. Consequently, the classic
x86_64 emulator will not boot if GPU emulation is enabled ("-gpu host"),
and does not render the UI correctly if launched with "-gpu off".

Fix this issue by assigning /dev/goldfish_pipe the same security context
as /dev/qemu_pipe.

This CL also benefits the new ("ranchu") emulator, where all supported
ABIs (arm64, mips64, x86 and x86_64) use 3.10-based kernels. Without
this fix, the new emulator boots and works, but there are avc denials
related to goldfish_pipe.

Last but not least, it is now possible to boot the classic x86 emulator
with a 3.10-based kernel instead of the current 3.4-based one, without
disabling SELinux.

Change-Id: Iad979c0ee9d0a410be12b83ac1bef9476b50a6dc
Signed-off-by: Yu Ning <yu.ning@intel.com>
2015-05-15 16:30:57 +08:00
William Roberts
cccc901639 Update device to use set_prop() macro
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-12 20:44:37 -07:00
bohu
22f1bc5db2 Bump sdk arm system image size to 750M
To fix broken build of arm system images.

Change-Id: I960dbb2a5a895557499fcf38655cd8907e768ef9
(cherry picked from commit 9f42be14b8)
2015-04-27 19:59:57 +00:00
Stephen Smalley
5699c6cf90 Drop BOARD_SEPOLICY_UNION.
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-04-01 10:33:24 -04:00
Ying Wang
58aeaed9ce Merge "goldfish_logcat: remove permissive_or_unconfined()" 2015-02-23 17:30:50 +00:00
Ying Wang
aa67c0ce9a Merge "qemud: remove permissive_or_unconfined()" 2015-02-23 17:30:43 +00:00
Ying Wang
4be75b3733 Merge "qemu_props: remove permissive_or_unconfined()" 2015-02-23 17:30:28 +00:00
Stephen Smalley
7b4a69adf4 qemud: remove permissive_or_unconfined()
Change-Id: Ia15cf87de1d03364f80d3d0cbc546475abfef448
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-10 17:29:01 -05:00
Stephen Smalley
25a150c5e1 qemu_props: remove permissive_or_unconfined()
Change-Id: I29f37822ccac22dd884d88f9dcd23237b5a3e2de
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-10 17:28:41 -05:00
Stephen Smalley
063b6b85d6 goldfish_setup: remove permissive_or_unconfined()
Change-Id: I3b44f24554f288f4fb1e18a53fa68e8a7cd8c8c7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-10 17:28:11 -05:00
Stephen Smalley
de78c2776a goldfish_logcat: remove permissive_or_unconfined()
Change-Id: I1a26b07bf723c944c7dcb8beec96537500a3bc60
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-10 17:27:41 -05:00
Christoffer Dall
a60edd110f arm: Support qemu-android on generic arm targets
When building a generic arm 32-bit target, we also want to include
support for the ranchu board model for the updated Android emulator
based on recent upstream QEMU.

Since the emulator.mk file is included by both the generic and
generic_arm64 targets and already defines a PRODUCT_COPY_FILES and
PRODUCT_PACKAGES, move duplicate entries from
target/board/generic*/device.mk to target/product/emulator.mk.

Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Change-Id: I7922ec0c4097776a185dbb245301d760ff332386
2014-11-19 12:17:59 -08:00
Daniel Cashman
1cffe21979 am b0efa98d: Merge "Switch qemud to permissive_or_unconfined()."
* commit 'b0efa98d97c04f4f97f57aae954aa61cb14683fe':
  Switch qemud to permissive_or_unconfined().
2014-11-06 19:22:01 +00:00
Stephen Smalley
82b6f21be3 Switch qemud to permissive_or_unconfined().
Switch the qemud domain from unconfined_domain() to
permissive_or_unconfined() so that we can start collecting and
addressing denials in -userdebug/-eng builds.

Also allow access to the serial device.

Change-Id: I9c7a6ddc8c2e64bfc6c5bb896eed1729ab205d60
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-06 09:36:40 -05:00
Nick Kralevich
54e1837910 am 36084e64: Merge "Label goldfish block devices with their own types."
* commit '36084e64a1b603f0ca848bba5ca91938f853dc4c':
  Label goldfish block devices with their own types.
2014-10-31 18:31:34 +00:00
Stephen Smalley
2ef5bf74fa Label goldfish block devices with their own types.
This assigns block device types as per device/generic/goldfish/fstab.goldfish.
Eliminates (permissive) avc:  denied messages for fsck.

Change-Id: Ia72bdfb16975f051548b6b2c0636e4f907295789
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-31 14:19:55 -04:00
Nick Kralevich
4fe702e4dc am dfa2f8a6: Merge "Mark qemu_device as a mlstrustedobject."
* commit 'dfa2f8a6e309bca516a11d83abd1aa8733acce69':
  Mark qemu_device as a mlstrustedobject.
2014-10-31 17:36:28 +00:00
Stephen Smalley
968ce565f7 Mark qemu_device as a mlstrustedobject.
Allow apps running with any level to write to it.

Change-Id: I8fca1f377e14c624db5273bdacf8400addc6210d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-31 13:28:09 -04:00
Nick Kralevich
63df0a5591 am 67463061: am 9d5f5d0e: Merge "Add domains for goldfish services."
* commit '67463061850da489782b5023e0a6178e06f602fb':
  Add domains for goldfish services.
2014-09-28 00:23:32 +00:00
Stephen Smalley
704744ad81 Add domains for goldfish services.
goldfish-setup, goldfish-logcat, and qemu-props are goldfish-specific
oneshot services that lacked domain definitions and thus were left in init's
domain.

This depends on a change to external/sepolicy with the same Change-Id
to define non-goldfish-specific types for properties and logcat.

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-22 14:41:56 -04:00
Deepanshu Gupta
4e5e582522 Use fonts from generic device for the SDK.
This removes the explicit list of fonts for the SDK and replaces it with
the fonts built for the generic device.

Also, the symlinked fonts are copied becuase Windows doesn't support
symlinks.

Change-Id: I8b18b2ab0149ab24448f27dbd5f9716e5d360029
2014-08-09 00:37:31 +00:00
dcashman
6672745d18 am cac1fc6d: am 5bb6eeb9: am d9c312b5: Merge "Allow all domains access to /dev/qemu_trace."
* commit 'cac1fc6dd5daf5f03bacf8749f888d196985fda8':
  Allow all domains access to /dev/qemu_trace.
2014-06-17 01:30:39 +00:00
dcashman
38a261a82b Allow all domains access to /dev/qemu_trace.
/dev/qemu_trace is used by memcheck on qemu to get memory allocation events
from all processes on the system.  Allow all domains to access this device, and
other qemu-specific devices.

Addresses the following denials:
type=1400 audit(1402674828.500:3): avc:  denied  { read write } for  pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.500:4): avc:  denied  { open } for  pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:5): avc:  denied  { read write } for  pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:6): avc:  denied  { open } for  pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:7): avc:  denied  { read write } for  pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:8): avc:  denied  { open } for  pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file

Bug: 15570479
Change-Id: I87d0976800557d73064e2da038315b0d019d7a60
2014-06-16 14:17:05 -07:00
dcashman
42971a6ad7 Revert "Allow all domains access to /dev/qemu_trace."
This reverts commit b1b12f8ad4.

(cherry picked from commit 097e840b06)

Change-Id: I89a9a0879a415c177091852a579c6dfd8c8a5b0a
2014-06-16 12:16:32 -07:00