tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix ANR permission denial for AIDL HALs.

Browse source 
Recently, WatchDog gained the ability to query AIDL HAL PIDs in order to
amend ANR reports. However, since this was tested on cuttlefish (and
b/65201432 means that system_server is permissive), the denial was not
enforced, and broke ANRs in the dogfood population.

Fixes: 179753319
Test: simulate hanging w/ 'adb shell am hang', and the following denial
   no longer occurs:
02-10 00:50:05.719   200   200 E SELinux : avc:  denied  { list } for
pid=575 uid=1000 name=service_manager scontext=u:r:system_server:s0
tcontext=u:r:servicemanager:s0 tclass=service_manager permissive=1

Change-Id: I210527ad7492b155d7cf08c7d67894ef602d37a6
This commit is contained in:
Steven Moreland 2021-02-10 01:06:08 +00:00
parent ae73b479fc
commit afb345c94b
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/system_server.te
View file

@ -292,6 +292,7 @@ unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
# List HAL interfaces to get ANR traces. # List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list; allow system_server hwservicemanager:hwservice_manager list;
allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces. # Send signals to trigger ANR traces.
allow system_server { allow system_server {