platform_system_core

History

Mark Salyzyn e81ede85c7 llkd: Skip apexd for process checks apexd is a sensitive daemon, and the ability to ptrace this domain is restricted by SELinux policy. apexd spawns a binder thread which makes matching difficult, as we would instead need to use /system/bin/apexd as the blacklist key. Change llkd to also check for a match on the basename of the executable path. This will solve a gotcha expectation when creating a blacklist key. Without this change, llkd continues to generate SELinux denials of type=1400 audit(0.0:1764): avc: denied { ptrace } for comm="llkd" scontext=u:r:llkd:s0 tcontext=u:r:apexd:s0 tclass=process permissive=0 Commit `5390b9add4` was originally intended to fix these denials, but it seems to have had no effect and the denials are still being generated. This change will fix it. Test: none Change-Id: I00aa10dfff30c65a120ad30582b820e2d4b1bb38	2018-10-22 16:11:02 -07:00
..
llkd.h	llkd: Skip apexd for process checks	2018-10-22 16:11:02 -07:00

Mark Salyzyn e81ede85c7 llkd: Skip apexd for process checks

apexd is a sensitive daemon, and the ability to ptrace this domain is
restricted by SELinux policy.  apexd spawns a binder thread which
makes matching difficult, as we would instead need to use
/system/bin/apexd as the blacklist key.

Change llkd to also check for a match on the basename of the
executable path.  This will solve a gotcha expectation when creating
a blacklist key.

Without this change, llkd continues to generate SELinux denials of

type=1400 audit(0.0:1764): avc: denied { ptrace } for comm="llkd" scontext=u:r:llkd:s0 tcontext=u:r:apexd:s0 tclass=process permissive=0

Commit 5390b9add4 was originally intended
to fix these denials, but it seems to have had no effect and the denials
are still being generated.  This change will fix it.

Test: none
Change-Id: I00aa10dfff30c65a120ad30582b820e2d4b1bb38

2018-10-22 16:11:02 -07:00

llkd.h llkd: Skip apexd for process checks 2018-10-22 16:11:02 -07:00