platform_system_sepolicy/public/profman.te
Nick Kralevich 364fd19782 profman/debuggerd: allow libart_file:file r_file_perms
Addresses the following auditallow spam:

avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
2016-11-08 09:28:28 -08:00

23 lines
659 B
Text

# profman
type profman, domain;
type profman_exec, exec_type, file_type;
allow profman libart_file:file r_file_perms;
allow profman user_profile_data_file:file { getattr read write lock };
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
allow profman apk_data_file:file { read };
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
allow profman profman_dump_data_file:file { write };
allow profman installd:fd use;
###
### neverallow rules
###
neverallow profman app_data_file:notdevfile_class_set open;