diff options
| author | Nick Kralevich <nnk@google.com> | 2013-10-23 09:08:23 -0700 |
|---|---|---|
| committer | Steve Kondik <shade@chemlab.org> | 2014-04-05 13:24:05 -0700 |
| commit | 8cbf4c7403e223a7b209f312586b7a31a53df052 (patch) | |
| tree | d8e1b683f6c1f5849cad79ce68fb9f06dbab25b1 | |
| parent | ffe2ab4343a10981e01dda3073825430045dfd1a (diff) | |
| download | android_external_sepolicy-8cbf4c7403e223a7b209f312586b7a31a53df052.tar.gz android_external_sepolicy-8cbf4c7403e223a7b209f312586b7a31a53df052.tar.bz2 android_external_sepolicy-8cbf4c7403e223a7b209f312586b7a31a53df052.zip | |
sysfs_devices_system_cpu should be a sysfs_type
Otherwise the following denials occur on mako:
<5>[ 2.494246] type=1400 audit(1382544550.200:4): avc: denied { associate } for pid=1 comm="init" name="time_in_state" dev="sysfs" ino=17444 scontext=u:object_r:sy
sfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.494735] type=1400 audit(1382544550.200:5): avc: denied { associate } for pid=1 comm="init" name="total_trans" dev="sysfs" ino=17443 scontext=u:object_r:sysf
s_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.495162] type=1400 audit(1382544550.200:6): avc: denied { associate } for pid=1 comm="init" name="stats" dev="sysfs" ino=17442 scontext=u:object_r:sysfs_devi
ces_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.495620] type=1400 audit(1382544550.200:7): avc: denied { associate } for pid=1 comm="init" name="scaling_governor" dev="sysfs" ino=17435 scontext=u:object_r
:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.496047] type=1400 audit(1382544550.200:8): avc: denied { associate } for pid=1 comm="init" name="cpuinfo_transition_latency" dev="sysfs" ino=17429 scontext=
u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.496505] type=1400 audit(1382544550.200:9): avc: denied { associate } for pid=1 comm="init" name="scaling_available_frequencies" dev="sysfs" ino=17439 sconte
xt=u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[ 2.496963] type=1400 audit(1382544550.200:10): avc: denied { associate } for pid=1 comm="init" name="scaling_driver" dev="sysfs" ino=17436 scontext=u:object_r:
sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
Change-Id: I584a1cf61cb871a38be4d3b308cef03e64cfda8e
Move sysfs_devices_system_cpu to the central policy.
Every device has a CPU. This is not device specific.
Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.
Allow ueventd to write to these files. This addresses
the following denials seen on mako:
<5>[ 4.935602] type=1400 audit(1383167737.512:4): avc: denied { read } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935785] type=1400 audit(1383167737.512:5): avc: denied { open } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935937] type=1400 audit(1383167737.512:6): avc: denied { search } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.936120] type=1400 audit(1383167737.512:7): avc: denied { write } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[ 4.936303] type=1400 audit(1383167737.512:8): avc: denied { open } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
| -rw-r--r-- | domain.te | 1 | ||||
| -rw-r--r-- | file.te | 2 | ||||
| -rw-r--r-- | file_contexts | 1 |
3 files changed, 3 insertions, 1 deletions
@@ -110,6 +110,7 @@ allow domain sysfs_writable:file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(domain, proc) r_dir_file(domain, sysfs) +r_dir_file(domain, sysfs_devices_system_cpu) r_dir_file(domain, inotify) r_dir_file(domain, cgroup) @@ -85,7 +85,7 @@ type security_file, file_type; # device policy type bluetooth_efs_file, file_type; # /sys/devices/system/cpu -type sysfs_devices_system_cpu, file_type; +type sysfs_devices_system_cpu, file_type, sysfs_type; # Socket types type adbd_socket, file_type; diff --git a/file_contexts b/file_contexts index bb6be19..5db0e40 100644 --- a/file_contexts +++ b/file_contexts @@ -211,6 +211,7 @@ /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 /sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0 /sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 ############################# # asec containers /mnt/asec(/.*)? u:object_r:asec_apk_file:s0 |