Fix lock logspam and remove domain_deprecated rule
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.
Addresses the following logspam similar to:
avc: granted { lock } for comm="iptables"
path="/system/etc/xtables.lock" dev="sda22" ino=3745
scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file
avc: granted { lock } for comm="dex2oat"
path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file
Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
This commit is contained in:
Nick Kralevich
parent
ea53e29f82
commit
4a580ccabb
3 changed files with 6 additions and 9 deletions
|
|
@ -13,6 +13,9 @@ allow dex2oat dalvikcache_data_file:file write;
|
|||
allow dex2oat dalvikcache_data_file:lnk_file read;
|
||||
allow dex2oat installd:fd use;
|
||||
|
||||
# Acquire advisory lock on /system/framework/arm/*
|
||||
allow dex2oat system_file:file lock;
|
||||
|
||||
# Read already open asec_apk_file file descriptors passed by installd.
|
||||
# Also allow reading unlabeled files, to allow for upgrading forward
|
||||
# locked APKs.
|
||||
|
|
|
|||
|
|
@ -71,7 +71,6 @@ auditallow {
|
|||
|
||||
# System file accesses.
|
||||
allow domain_deprecated system_file:dir r_dir_perms;
|
||||
allow domain_deprecated system_file:file r_file_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
|
|
@ -86,14 +85,6 @@ auditallow {
|
|||
-vold
|
||||
-zygote
|
||||
} system_file:dir { open read ioctl lock }; # search getattr in domain
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-rild
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-zygote
|
||||
} system_file:file { ioctl lock }; # read open getattr in domain
|
||||
')
|
||||
|
||||
# Read files already opened under /data.
|
||||
|
|
|
|||
|
|
@ -29,6 +29,9 @@ allow netd shell_exec:file rx_file_perms;
|
|||
allow netd system_file:file x_file_perms;
|
||||
allow netd devpts:chr_file rw_file_perms;
|
||||
|
||||
# Acquire advisory lock on /system/etc/xtables.lock
|
||||
allow netd system_file:file lock;
|
||||
|
||||
r_dir_file(netd, proc_net)
|
||||
# For /proc/sys/net/ipv[46]/route/flush.
|
||||
allow netd proc_net:file rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue