Add policy for /system/bin/auditctl
/system/bin/auditctl is executed by init to set the kernel audit
throttling rate limit. Grant the rules necessary for this to happen.
Test: compiles and boots
Test: Perform an operation which generates lots of SELinux denials,
and count how many occur before and after the time period.
Bug: 118815957
(cherry picked from commit 622ab8a2ba
)
Change-Id: Ie5b4852fa217462557fce192c764305893968454
This commit is contained in:
parent
61cbd0a362
commit
c7a3140398
2 changed files with 19 additions and 0 deletions
18
private/auditctl.te
Normal file
18
private/auditctl.te
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
#
|
||||||
|
# /system/bin/auditctl executed for logd
|
||||||
|
#
|
||||||
|
# Performs maintenance of the kernel auditing system, including
|
||||||
|
# setting rate limits on SELinux denials.
|
||||||
|
#
|
||||||
|
|
||||||
|
type auditctl, domain, coredomain;
|
||||||
|
type auditctl_exec, file_type, system_file_type, exec_type;
|
||||||
|
|
||||||
|
# Uncomment the line below to put this domain into permissive
|
||||||
|
# mode. This helps speed SELinux policy development.
|
||||||
|
# userdebug_or_eng(`permissive auditctl;')
|
||||||
|
|
||||||
|
init_daemon_domain(auditctl)
|
||||||
|
|
||||||
|
allow auditctl self:global_capability_class_set audit_control;
|
||||||
|
allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
|
|
@ -182,6 +182,7 @@
|
||||||
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
|
||||||
/system/bin/atrace u:object_r:atrace_exec:s0
|
/system/bin/atrace u:object_r:atrace_exec:s0
|
||||||
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
|
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
|
||||||
|
/system/bin/auditctl u:object_r:auditctl_exec:s0
|
||||||
/system/bin/bcc u:object_r:rs_exec:s0
|
/system/bin/bcc u:object_r:rs_exec:s0
|
||||||
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
||||||
/system/bin/charger u:object_r:charger_exec:s0
|
/system/bin/charger u:object_r:charger_exec:s0
|
||||||
|
|
Loading…
Reference in a new issue