tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Grant system_app permission to access cgroup_v2 directories

Browse source 
Without this change, the migration of the blkio controller to the cgroup
v2 hierarchy triggers the following denials:

01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:7): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0
01-31 19:00:59.086  4494  4494 I auditd  : type=1400 audit(0.0:8): avc: denied { write } for comm=4173796E635461736B202331 name="pid_4494" dev="cgroup2" ino=3545 scontext=u:r:system_app:s0 tcontext=u:object_r:cgroup_v2:s0 tclass=dir permissive=0

Bug: 213617178
Test: Booted Android in the Cuttlefish emulator.
Change-Id: I20f136d5cd58fa4ebabbb5a328fc6001b11110d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This commit is contained in:
Bart Van Assche 2022-01-31 21:33:29 +00:00
parent 7e07941d3d
commit be3ff9b93a
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/system_app.te
View file

@ -159,6 +159,7 @@ allow system_app {
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
allow system_app cgroup_v2:dir w_dir_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)