fcea726390
Address the following denials:
01-21 12:44:53.704 4595 4595 W ndroid.calendar: type=1400 audit(0.0:21): avc: denied { getattr } for name="/" dev="dm-0" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
01-21 12:45:23.177 5544 5544 W roid.music:main: type=1400 audit(0.0:46): avc: denied { getattr } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
7618 W .android.chrome: type=1400 audit(0.0:413): avc: denied { getattr } for path="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
01-21 12:44:53.709 4595 4595 D AndroidRuntime: Shutting down VM
01-21 12:44:53.727 4595 4595 E AndroidRuntime: FATAL EXCEPTION: main
01-21 12:44:53.727 4595 4595 E AndroidRuntime: Process: com.google.android.calendar, PID: 4595
01-21 12:44:53.727 4595 4595 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider com.google.android.syncadapters.calendar.timely.TimelyProvider: java.lang.IllegalArgumentException: Invalid path: /data
01-21 12:44:53.727 4595 4595 E AndroidRuntime: at android.app.ActivityThread.installProvider(ActivityThread.java:5550)
...
Change-Id: I0e9d65438d031e19c9abc5dca8969ed4356437a0
77 lines
2.8 KiB
Text
77 lines
2.8 KiB
Text
# rules removed from the domain attribute
|
|
|
|
# Read access to properties mapping.
|
|
allow domain_deprecated kernel:fd use;
|
|
allow domain_deprecated tmpfs:file { read getattr };
|
|
allow domain_deprecated tmpfs:lnk_file { read getattr };
|
|
|
|
# Search /storage/emulated tmpfs mount.
|
|
allow domain_deprecated tmpfs:dir r_dir_perms;
|
|
|
|
# Inherit or receive open files from others.
|
|
allow domain_deprecated system_server:fd use;
|
|
|
|
# Connect to adbd and use a socket transferred from it.
|
|
# This is used for e.g. adb backup/restore.
|
|
allow domain_deprecated adbd:unix_stream_socket connectto;
|
|
allow domain_deprecated adbd:fd use;
|
|
allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
|
|
|
|
# Root fs.
|
|
allow domain_deprecated rootfs:dir r_dir_perms;
|
|
allow domain_deprecated rootfs:file r_file_perms;
|
|
allow domain_deprecated rootfs:lnk_file r_file_perms;
|
|
|
|
# Device accesses.
|
|
allow domain_deprecated device:file read;
|
|
|
|
# System file accesses.
|
|
allow domain_deprecated system_file:dir r_dir_perms;
|
|
allow domain_deprecated system_file:file r_file_perms;
|
|
allow domain_deprecated system_file:lnk_file r_file_perms;
|
|
|
|
# Read files already opened under /data.
|
|
allow domain_deprecated system_data_file:dir { search getattr };
|
|
allow domain_deprecated system_data_file:file { getattr read };
|
|
allow domain_deprecated system_data_file:lnk_file r_file_perms;
|
|
|
|
# Read apk files under /data/app.
|
|
allow domain_deprecated apk_data_file:dir { getattr search };
|
|
allow domain_deprecated apk_data_file:file r_file_perms;
|
|
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow domain_deprecated dalvikcache_data_file:dir { search getattr };
|
|
allow domain_deprecated dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read already opened /cache files.
|
|
allow domain_deprecated cache_file:dir r_dir_perms;
|
|
allow domain_deprecated cache_file:file { getattr read };
|
|
allow domain_deprecated cache_file:lnk_file r_file_perms;
|
|
|
|
# For /acct/uid/*/tasks.
|
|
allow domain_deprecated cgroup:dir { search write };
|
|
allow domain_deprecated cgroup:file w_file_perms;
|
|
|
|
#Allow access to ion memory allocation device
|
|
allow domain_deprecated ion_device:chr_file rw_file_perms;
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(domain_deprecated, proc)
|
|
r_dir_file(domain_deprecated, sysfs)
|
|
r_dir_file(domain_deprecated, inotify)
|
|
r_dir_file(domain_deprecated, cgroup)
|
|
r_dir_file(domain_deprecated, proc_net)
|
|
|
|
# Get SELinux enforcing status.
|
|
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
|
allow domain_deprecated selinuxfs:file r_file_perms;
|
|
|
|
# /data/security files
|
|
allow domain_deprecated security_file:dir { search getattr };
|
|
allow domain_deprecated security_file:file getattr;
|
|
allow domain_deprecated security_file:lnk_file r_file_perms;
|
|
|
|
# World readable asec image contents
|
|
allow domain_deprecated asec_public_file:file r_file_perms;
|
|
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
|