tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Silence /proc/pid denials.

Browse source 
system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-03-13 16:19:25 -04:00
parent 64c0ff0079
commit 6fe899a0d1
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
system_server.te
View file

@ -80,6 +80,13 @@ r_dir_file(system_server, appdomain)
# Write to /proc/pid/oom_adj_score for apps.
allow system_server appdomain:file write;
# Silently deny access to any /proc/pid files other than
# the ones allowed via allow rule. Avoids filling the logs
# with noise from /proc/pid traversals by ActivityManager,
# CpuTracker, and possibly other system_server components.
dontaudit system_server domain:dir r_dir_perms;
dontaudit system_server domain:{ file lnk_file } r_file_perms;
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;