platform_system_sepolicy/public/idmap.te
Joel Galenson b050dccdd8 Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
2018-01-25 10:07:19 -08:00

20 lines
648 B
Text

# idmap, when executed by installd
type idmap, domain;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)