tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/system_app.te

79 lines
2 KiB
Text
Raw Normal View History

Split system_app from system. system_app is for apps that run in the system UID, e.g. Settings. system is for the system_server. Split them into separate files and note their purpose in the comment header of each file. Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-11 17:37:46 +02:00
#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 18:54:39 +01:00
type system_app, domain, domain_deprecated;
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 20:23:34 +01:00
Resolve overlapping rules between app.te and net.te. There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 16:48:03 +01:00
net_domain(system_app)
Address bug report denials. Triggering a bug report via Settings > Developer Options > Take bug report generates a number of denials. Two bugs here: 1) According to the "allowed" list in frameworks/native/cmds/servicemanager/service_manager.c , media apps, nfc, radio, and apps with system/root UIDs can register as a binder service. However, they were not placed into the binder_service domain. Fix them. 2) The bugreport mechanism queries all the services and java programs and asks them to write to a shell owned file. Grant the corresponding SELinux capability. Addresses the following denials: <5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
2014-01-11 08:05:25 +01:00
binder_service(system_app)
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
Label app data directories for system UID apps with a different type. We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 19:10:02 +02:00
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
Allow system_app to access /data/data link files system_app tries to access files in /data/data (lnk_files). But due to permission issue it is not able to access the link files. Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059
2015-01-13 14:56:54 +01:00
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
system_app: remove perms to write to system_data_file Strengthen neverallow rule to enforce that no apps may write to system_data_file - the default label for /data/ Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14
2016-01-20 23:36:45 +01:00
# Read and write to /data/misc/user.
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-13 13:10:08 +02:00
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
Restore system_app access to system-owned /data directories. System UID apps want to be able to create/write to system-owned /data directories outside of their own /data/data package directory, such as /data/system/cache and /data/misc/keychain. Restore access (which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when system_app_data_file was introduced for the /data/data package directories of system UID apps), but audit writes to system_data_file so we can look at introducing separate types for these directories in the future and ultimately remove access to the rest of the system-owned data. Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 20:23:32 +02:00
Let Settings measure transient free space. Transient volumes like USB drives are only mounted at /mnt/media_rw, but they still appear in Settings > Storage. To show stats like free/used space, give Settings the permissions it needs to access devices mounted there. avc: denied { search } for name="media_rw" dev="tmpfs" ino=8358 scontext=u:r:system_app:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0 Bug: 22545248 Change-Id: I273a1729e417873184ad04ba9dd0fec95fd54f97
2015-07-31 02:51:04 +02:00
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
Modified security policy to allow user to get their own icon. BUG: 27583869 Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d
2016-02-25 16:37:06 +01:00
# Read icon file.
allow system_app icon_file:file r_file_perms;
Give system_server / system_app ability to write some properties Allow writing to persist.sys and debug. This addresses the following denials (which are actually being enforced): <4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service <3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl <4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service <3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
2013-11-01 18:45:03 +01:00
# Write to properties
Allow system apps (Settings) to configure Bluetooth properties Bug: 27078729 Change-Id: I74115521e1def661dea5575eb532b93fe7f1f4ad
2016-02-09 00:39:00 +01:00
set_prop(system_app, bluetooth_prop)
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
Allow shell to set log.tag.* properties Also allow shell to set persist.log.tag.* Bug: 28942894 Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b
2016-06-01 20:14:14 +02:00
set_prop(system_app, log_tag_prop)
logpersist: reserve persist.logd.logpersistd shell, system_app and logd access granted on debug builds only Bug: 28936216 Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135
2016-06-06 21:18:46 +02:00
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 16:27:02 +02:00
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
Allow system_app to start bugreport and to create /data/anr/traces.txt. Resolves denials such as: avc: denied { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service avc: denied { write } for pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { add_name } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { create } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-06 20:47:22 +01:00
Settings: switch to using ctl.start property instead of exec logcat - Moves policy of what to do with buffer size changes to logd Bug: 23685592 Change-Id: I0b12c452e01b94d264d12b30f9040f646e609340
2016-01-06 18:59:48 +01:00
# ctl interface
set_prop(system_app, ctl_default_prop)
set_prop(system_app, ctl_bugreport_prop)
Allow system_app to start bugreport and to create /data/anr/traces.txt. Resolves denials such as: avc: denied { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service avc: denied { write } for pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { add_name } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { create } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-06 20:47:22 +01:00
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
Allow Developer settings to change runtime size of logd - permit logd control from system_app Bug: 14563261 Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-10 02:47:19 +02:00
sepolicy: allow system apps to access ASEC Required for Settings to show name/icon of apps on sd card (permission copied from untrusted_app) Also removed duplicate permission (from domain) in untrusted_app Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
2014-12-11 16:33:49 +01:00
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
Allow system_app to list all services. The Settings app contains a SystemPropPoker class which notifies every service on the system that a property has changed. Address the following denial: avc: denied { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Cherry-pick of Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c Bug: 20762975 Change-Id: I665a460f30a1ef57b513da9166aad60097dd4886
2015-05-05 00:06:26 +02:00
allow system_app servicemanager:service_manager list;
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-29 00:52:15 +02:00
# TODO: scope this down? Too broad?
Rules for new installd Binder interface. Most of this CL mirrors what we've already done for the "netd" Binder interface, while sorting a few lists alphabetically. Migrating installd to Binder will allow us to get rid of one of the few lingering text-based command protocols, improving system maintainability and security. Test: builds, boots Bug: 13758960, 30944031 Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
2016-12-05 19:19:11 +01:00
allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
Add imms service and system_app_service type. Map imms to system_app_service in service_contexts and add the system_app_service type and allow system_app to add the system_app_service. Bug: 16005467 Change-Id: I06ca75e2602f083297ed44960767df2e78991140
2014-07-01 17:38:56 +02:00
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
allow system_app keystore:keystore_key {
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
get_state
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
get
insert
delete
exist
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
list
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
reset
password
lock
unlock
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
is_empty
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
sign
verify
grant
duplicate
clear_uid
Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. (cherry-picked from commit 520bb816b86fe36440767db6e2f05fb4e8a08f3e) Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
2015-05-12 21:33:40 +02:00
user_changed
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
};
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 23:23:23 +01:00
# /sys access
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-10 01:27:17 +02:00
r_dir_file(system_app, sysfs_type)
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 23:23:23 +01:00
Allow Developer settings to change runtime size of logd - permit logd control from system_app Bug: 14563261 Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-10 02:47:19 +02:00
control_logd(system_app)
Reference in a new issue Copy permalink