Silence /proc/pid denials.
system_server components such as ActivityManager and CpuTracker try to access all /proc/pid directories, triggering denials on domains that are not explicitly allowed to the system_server. Silence these denials to avoid filling the logs with noise and overwriting actual useful messages in the kernel ring buffer. Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
64c0ff0079
commit
6fe899a0d1
1 changed files with 7 additions and 0 deletions
|
|
@ -80,6 +80,13 @@ r_dir_file(system_server, appdomain)
|
|||
# Write to /proc/pid/oom_adj_score for apps.
|
||||
allow system_server appdomain:file write;
|
||||
|
||||
# Silently deny access to any /proc/pid files other than
|
||||
# the ones allowed via allow rule. Avoids filling the logs
|
||||
# with noise from /proc/pid traversals by ActivityManager,
|
||||
# CpuTracker, and possibly other system_server components.
|
||||
dontaudit system_server domain:dir r_dir_perms;
|
||||
dontaudit system_server domain:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
|
||||
allow system_server qtaguid_proc:file rw_file_perms;
|
||||
allow system_server qtaguid_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue