b050dccdd8
We are occasionally seeing the following SELinux denial:
avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file
This commit suppresses that exact denial.
We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.
Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
20 lines
648 B
Text
20 lines
648 B
Text
# idmap, when executed by installd
|
|
type idmap, domain;
|
|
type idmap_exec, exec_type, file_type;
|
|
|
|
# Use open file to /data/resource-cache file inherited from installd.
|
|
allow idmap installd:fd use;
|
|
allow idmap resourcecache_data_file:file { getattr read write };
|
|
|
|
# Ignore reading /proc/<pid>/maps after a fork.
|
|
dontaudit idmap installd:file read;
|
|
|
|
# Open and read from target and overlay apk files passed by argument.
|
|
allow idmap apk_data_file:file r_file_perms;
|
|
allow idmap apk_data_file:dir search;
|
|
|
|
# Allow apps access to /vendor/app
|
|
r_dir_file(idmap, vendor_app_file)
|
|
|
|
# Allow apps access to /vendor/overlay
|
|
r_dir_file(idmap, vendor_overlay_file)
|