Fix long-tail denials in enforcing domains.
The specific denials we see are:
denied { getattr } for pid=169 comm=""installd"" path=""/data/data/com.android.providers.downloads/cache/downloadfile.jpeg"" dev=""mmcblk0p23"" ino=602861 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
denied { fsetid } for pid=598 comm=""netd"" capability=4 scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
denied { read } for pid=209 comm=""installd"" name=""cache"" dev=""mmcblk0p28"" ino=81694 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
Bug: 10786017
Change-Id: Ia5d0b6337f3de6a168ac0d5a77df2a1ac419ec29
This commit is contained in:
Geremy Condra
parent
13a74a3aea
commit
3bb1ccc265
2 changed files with 2 additions and 1 deletions
|
|
@ -17,6 +17,7 @@ allow installd apk_tmp_file:file r_file_perms;
|
|||
allow installd system_file:file x_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
allow installd download_file:dir { r_dir_perms };
|
||||
allow installd download_file:file { r_file_perms };
|
||||
dontaudit installd self:capability sys_admin;
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
|
|
|
|||
2
netd.te
2
netd.te
|
|
@ -3,7 +3,7 @@ type netd, domain;
|
|||
type netd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(netd)
|
||||
allow netd self:capability { net_admin net_raw kill };
|
||||
allow netd self:capability { net_admin net_raw kill fsetid };
|
||||
allow netd self:netlink_kobject_uevent_socket *;
|
||||
allow netd self:netlink_route_socket *;
|
||||
allow netd self:netlink_nflog_socket *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue