diff options
author | Nick Kralevich <nnk@google.com> | 2013-10-30 14:12:21 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2013-10-30 14:12:21 -0700 |
commit | 967f39a6e88c60b5f65a37397d6619197a1d0514 (patch) | |
tree | ae6e157209a171d819b19178bbe00e128d6b18aa | |
parent | 5b38c47b7e53371f7c400cf9c0f312a1f147dce9 (diff) | |
download | android_external_sepolicy-967f39a6e88c60b5f65a37397d6619197a1d0514.tar.gz android_external_sepolicy-967f39a6e88c60b5f65a37397d6619197a1d0514.tar.bz2 android_external_sepolicy-967f39a6e88c60b5f65a37397d6619197a1d0514.zip |
Move sysfs_devices_system_cpu to the central policy.
Every device has a CPU. This is not device specific.
Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.
Allow ueventd to write to these files. This addresses
the following denials seen on mako:
<5>[ 4.935602] type=1400 audit(1383167737.512:4): avc: denied { read } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935785] type=1400 audit(1383167737.512:5): avc: denied { open } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935937] type=1400 audit(1383167737.512:6): avc: denied { search } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.936120] type=1400 audit(1383167737.512:7): avc: denied { write } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[ 4.936303] type=1400 audit(1383167737.512:8): avc: denied { open } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
-rw-r--r-- | domain.te | 1 | ||||
-rw-r--r-- | file_contexts | 1 | ||||
-rw-r--r-- | ueventd.te | 1 |
3 files changed, 3 insertions, 0 deletions
@@ -106,6 +106,7 @@ allow domain sysfs_writable:file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(domain, proc) r_dir_file(domain, sysfs) +r_dir_file(domain, sysfs_devices_system_cpu) r_dir_file(domain, inotify) r_dir_file(domain, cgroup) diff --git a/file_contexts b/file_contexts index be61f9c..5a9f1e2 100644 --- a/file_contexts +++ b/file_contexts @@ -204,6 +204,7 @@ /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 /sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0 /sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 ############################# @@ -14,6 +14,7 @@ allow ueventd device:chr_file rw_file_perms; allow ueventd sysfs:file rw_file_perms; allow ueventd sysfs:file setattr; allow ueventd sysfs_type:file { relabelfrom relabelto }; +allow ueventd sysfs_devices_system_cpu:file rw_file_perms; allow ueventd tmpfs:chr_file rw_file_perms; allow ueventd dev_type:dir create_dir_perms; allow ueventd dev_type:lnk_file { create unlink }; |