From 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 10 Dec 2015 11:10:20 -0800 Subject: [PATCH] Restore sysfs_devices_system_cpu to domain.te Lots of processes access CPU information. This seems to be triggered by libraries loaded into every Android process. Allow the access. Addresses the following denials: adbd : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1 adbd : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 adbd : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 adbd : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1 Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35 --- domain.te | 3 +++ domain_deprecated.te | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/domain.te b/domain.te index aaf2d0a04..c910c7069 100644 --- a/domain.te +++ b/domain.te @@ -99,6 +99,9 @@ allow domain system_file:lnk_file read; # libc references /data/misc/zoneinfo for timezone related information r_dir_file(domain, zoneinfo_data_file) +# Lots of processes access current CPU information +r_dir_file(domain, sysfs_devices_system_cpu) + # files under /data. allow domain system_data_file:dir { search getattr }; allow domain system_data_file:lnk_file read; diff --git a/domain_deprecated.te b/domain_deprecated.te index 5fbeb60cb..269fe5bbd 100644 --- a/domain_deprecated.te +++ b/domain_deprecated.te @@ -63,7 +63,6 @@ allow domain_deprecated ion_device:chr_file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(domain_deprecated, proc) r_dir_file(domain_deprecated, sysfs) -r_dir_file(domain_deprecated, sysfs_devices_system_cpu) r_dir_file(domain_deprecated, inotify) r_dir_file(domain_deprecated, cgroup) r_dir_file(domain_deprecated, proc_net)