platform_system_sepolicy/public/vdc.te
Yifan Hong 5d89abde99 Allow to getattr kmsg_device
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.

Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.

04-28 06:15:22.290   618   618 I auditd  : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431   900   900 I auditd  : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316     1     1 W init    : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-25 10:14:20 -07:00

20 lines
573 B
Text

# vdc spawned from init for the following services:
# defaultcrypto
# encrypt
#
# We also transition into this domain from dumpstate, when
# collecting bug reports.
type vdc, domain;
type vdc_exec, system_file_type, exec_type, file_type;
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;
# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file { getattr w_file_perms };
# vdc talks to vold over Binder
binder_use(vdc)
binder_call(vdc, vold)
allow vdc vold_service:service_manager find;