Get rid of more auditallow spam
Addresses the following audit messages:
[ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
[ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
This commit is contained in:
Nick Kralevich
parent
ece327292c
commit
2c8ea36ad8
2 changed files with 36 additions and 2 deletions
|
|
@ -79,6 +79,7 @@ auditallow {
|
|||
-debuggerd
|
||||
-dex2oat
|
||||
-dumpstate
|
||||
-init
|
||||
-installd
|
||||
-system_server
|
||||
-zygote
|
||||
|
|
@ -115,8 +116,38 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
|
|||
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
|
||||
auditallow domain_deprecated inotify:dir r_dir_perms;
|
||||
auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
|
||||
auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dumpstate
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-init
|
||||
-inputflinger
|
||||
-installd
|
||||
-keystore
|
||||
-netd
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} cgroup:dir r_dir_perms;
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-dumpstate
|
||||
-fingerprintd
|
||||
-healthd
|
||||
-init
|
||||
-inputflinger
|
||||
-installd
|
||||
-keystore
|
||||
-netd
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} cgroup:{ file lnk_file } r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
|
||||
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
|
||||
auditallow {
|
||||
|
|
|
|||
|
|
@ -95,6 +95,9 @@ allow dumpstate { storage_file block_device }:dir { search getattr };
|
|||
allow dumpstate fuse_device:chr_file getattr;
|
||||
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
|
||||
|
||||
# Read /dev/cpuctl and /dev/cpuset
|
||||
r_dir_file(dumpstate, cgroup)
|
||||
|
||||
# Allow dumpstate to make binder calls to any binder service
|
||||
binder_call(dumpstate, binderservicedomain)
|
||||
binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
|
||||
|
|
|
|||
Loading…
Reference in a new issue