7a35c136a4
Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.
Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.
Addresses the following denial:
avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
ino=4026536593 scontext=u:r:bootanim:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0
This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.
Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5
31 lines
821 B
Text
31 lines
821 B
Text
# bootanimation oneshot service
|
|
type bootanim, domain;
|
|
type bootanim_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(bootanim)
|
|
|
|
binder_use(bootanim)
|
|
binder_call(bootanim, surfaceflinger)
|
|
|
|
allow bootanim gpu_device:chr_file rw_file_perms;
|
|
|
|
# /oem access
|
|
allow bootanim oemfs:dir search;
|
|
allow bootanim oemfs:file r_file_perms;
|
|
|
|
allow bootanim audio_device:dir r_dir_perms;
|
|
allow bootanim audio_device:chr_file rw_file_perms;
|
|
|
|
allow bootanim surfaceflinger_service:service_manager find;
|
|
|
|
# Allow access to ion memory allocation device
|
|
allow bootanim ion_device:chr_file rw_file_perms;
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(bootanim, proc)
|
|
allow bootanim proc_meminfo:file r_file_perms;
|
|
r_dir_file(bootanim, sysfs)
|
|
r_dir_file(bootanim, cgroup)
|
|
|
|
# System file accesses.
|
|
allow bootanim system_file:dir r_dir_perms;
|