tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/bootanim.te
Nick Kralevich f8f937a16f undeprecate /proc/cpuinfo, more shell permissions 
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
2015-12-22 16:48:47 -08:00

34 lines
885 B
Text
Raw Blame History

# bootanimation oneshot service
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
init_daemon_domain(bootanim)
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
allow bootanim gpu_device:chr_file rw_file_perms;
# /oem access
allow bootanim oemfs:dir search;
allow bootanim oemfs:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
allow bootanim surfaceflinger_service:service_manager find;
# For /acct/uid/*/tasks.
allow bootanim cgroup:dir { search write };
allow bootanim cgroup:file w_file_perms;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
r_dir_file(bootanim, sysfs)
r_dir_file(bootanim, cgroup)
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
Reference in a new issue View git blame Copy permalink