From 5a234338c1974ac7110518c436051b1b6724085d Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Tue, 23 Apr 2019 11:40:01 +0800 Subject: [PATCH] Fix denial of /debug_ramdisk/adb_debug.prop This CL fix the following SELinux denial, by allowing init to getatter for tmpfs:file. audit: type=1400 audit(15464939.926:4): avc: denied { getattr } for pid=1 comm="init" path="/debug_ramdisk/adb_debug.prop" dev="tmpfs" ino=25480 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=file permissive=0 Note: the current sepolicy (before this change) has the following rules for tmpfs:file: $ sesearch --allow -t tmpfs -c file $OUT/vendor/etc/selinux/precompiled_sepolicy allow dex2oat tmpfs:file { read map getattr }; allow init tmpfs:file { read unlink open setattr }; allow postinstall_dexopt tmpfs:file read; allow profman tmpfs:file { read map }; allow vendor_init tmpfs:file { read map open setattr }; Bug: 126493225 Test: boot a device with debug ramdisk, checks related files are loaded Change-Id: I6dd356de989d597828a6e04846b793d611c477fa --- public/init.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/init.te b/public/init.te index bde7ac61d..c5b88d249 100644 --- a/public/init.te +++ b/public/init.te @@ -52,8 +52,8 @@ allow init mnt_sdcard_file:lnk_file create; # setrlimit allow init self:global_capability_class_set sys_resource; -# Remove /dev/.booting, created before initial policy load or restorecon /dev. -allow init tmpfs:file unlink; +# Remove /dev/.booting and load /debug_ramdisk/* files +allow init tmpfs:file { getattr unlink }; # Access pty created for fsck. allow init devpts:chr_file { read write open };