Allow adbd / shell /data/anr access
The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.
We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.
Addresses the following denials:
<4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
Bug: 15450720
(cherry picked from commit 4fd4a2054d
)
Change-Id: Ide6f62183a1c6e2af4cbe84bb0ebb928cd8e63b7
This commit is contained in:
parent
68c5f90b97
commit
cb182aba64
2 changed files with 8 additions and 0 deletions
4
adbd.te
4
adbd.te
|
@ -38,6 +38,10 @@ allow adbd shell_data_file:file create_file_perms;
|
|||
allow adbd sdcard_type:dir create_dir_perms;
|
||||
allow adbd sdcard_type:file create_file_perms;
|
||||
|
||||
# adb pull /data/anr/traces.txt
|
||||
allow adbd anr_data_file:dir r_dir_perms;
|
||||
allow adbd anr_data_file:file r_file_perms;
|
||||
|
||||
# Set service.adb.*, sys.powerctl properties.
|
||||
unix_socket_connect(adbd, property, init)
|
||||
allow adbd shell_prop:property_service set;
|
||||
|
|
4
shell.te
4
shell.te
|
@ -13,4 +13,8 @@ app_domain(shell)
|
|||
read_logd(shell)
|
||||
control_logd(shell)
|
||||
|
||||
# read files in /data/anr
|
||||
allow shell anr_data_file:dir r_dir_perms;
|
||||
allow shell anr_data_file:file r_file_perms;
|
||||
|
||||
# inherits from shelldomain.te
|
||||
|
|
Loading…
Reference in a new issue