Silence /proc/pid denials.

system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-03-13 16:19:25 -04:00
parent 64c0ff0079
commit 6fe899a0d1

View file

@ -80,6 +80,13 @@ r_dir_file(system_server, appdomain)
# Write to /proc/pid/oom_adj_score for apps. # Write to /proc/pid/oom_adj_score for apps.
allow system_server appdomain:file write; allow system_server appdomain:file write;
# Silently deny access to any /proc/pid files other than
# the ones allowed via allow rule. Avoids filling the logs
# with noise from /proc/pid traversals by ActivityManager,
# CpuTracker, and possibly other system_server components.
dontaudit system_server domain:dir r_dir_perms;
dontaudit system_server domain:{ file lnk_file } r_file_perms;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms;