From ab61935ac2ad0327606a0e7f469a62c2e06d083f Mon Sep 17 00:00:00 2001 From: Mike Ma Date: Tue, 11 Feb 2020 12:56:36 -0800 Subject: [PATCH] Fix selinux denials for incidentd This is to fix selinux denials on incident-helper-cmd. incident-helper-cmd is a Java program spawn from app_process. There are currently some selinux denials because app_process tries to read boot flags, read dalvik cache, run JIT and exec from JIT cache. This change: - allows incidentd to read the runtime feature flag properties. This is a normal behavior during app_process startup - allows incidentd to lock a few java libraries under /apex/com.android.art. Again, this is normal when ART starts - mutes denial of writing to and exec from dalvik cache / JIT cache Fixes: 149011438 Test: Run $ incident 1116, and verify there's no selinux denial Change-Id: I95a6b93e6a5510c749bebe7ecbcab9a803be0801 --- private/incidentd.te | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/private/incidentd.te b/private/incidentd.te index 45499fc03..8924d83fc 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -131,14 +131,21 @@ allow incidentd shell_exec:file rx_file_perms; # For running am, incident-helper-cmd and similar framework commands. # Run /system/bin/app_process. allow incidentd zygote_exec:file { rx_file_perms }; +# Access the runtime feature flag properties. +get_prop(incidentd, device_config_runtime_native_prop) +get_prop(incidentd, device_config_runtime_native_boot_prop) +# ART locks profile files. +allow incidentd system_file:file lock; +# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected. +dontaudit incidentd dalvikcache_data_file:dir r_dir_perms; +dontaudit incidentd tmpfs:file rwx_file_perms; # logd access - work to be done is a PII safe log (possibly an event log?) userdebug_or_eng(`read_logd(incidentd)') # TODO control_logd(incidentd) # Access /data/misc/logd -allow incidentd misc_logd_file:dir r_dir_perms; -allow incidentd misc_logd_file:file r_file_perms; +r_dir_file(incidentd, misc_logd_file) # Allow incidentd to find these standard groups of services. # Others can be whitelisted individually.