rs.te: Remove dontaudit statements
These dontaudit rules were in place to suppress SELinux denials due to file descriptor leakage. The file descriptor leakage has been fixed, so these rules are no longer necessary. Delete. Fixes: 120983106 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I5cad79c3526583bd2b65bd089fee9c490f6beb5e
This commit is contained in:
Nick Kralevich
parent
2b80559518
commit
80eec389e2
1 changed files with 0 additions and 12 deletions
|
|
@ -28,15 +28,3 @@ allow rs same_process_hal_file:file { r_file_perms execute };
|
||||||
|
|
||||||
# File descriptors passed from app to renderscript
|
# File descriptors passed from app to renderscript
|
||||||
allow rs untrusted_app_all:fd use;
|
allow rs untrusted_app_all:fd use;
|
||||||
|
|
||||||
# TODO: Explain why these dontaudits are needed. Most likely
|
|
||||||
# these are file descriptors leaking across an exec() boundary
|
|
||||||
# due to a missing O_CLOEXEC / SOCK_CLOEXEC
|
|
||||||
dontaudit rs untrusted_app_all:unix_stream_socket { read write };
|
|
||||||
dontaudit rs untrusted_app_all:fifo_file { read write };
|
|
||||||
|
|
||||||
# TODO: Explain why this is necessary. I think this is a zygote
|
|
||||||
# created logging socket and system server parceled file descriptor
|
|
||||||
# which is not using the O_CLOEXEC flag.
|
|
||||||
dontaudit rs zygote:fd use;
|
|
||||||
dontaudit rs system_server:fd use;
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue