diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-21 10:24:04 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-21 10:31:43 -0400 |
commit | 644279ba06629627b7cac3cd6d694f2dd25b6748 (patch) | |
tree | ab3f7f90986895d34d9a8f1ca0448b92cedcc3a8 /binderservicedomain.te | |
parent | 01ba6834c10f5839371385b224a78c04e1351202 (diff) | |
download | android_external_sepolicy-644279ba06629627b7cac3cd6d694f2dd25b6748.tar.gz android_external_sepolicy-644279ba06629627b7cac3cd6d694f2dd25b6748.tar.bz2 android_external_sepolicy-644279ba06629627b7cac3cd6d694f2dd25b6748.zip |
Allow binder services to use pipes passed over binder.
Resolves denials such as:
avc: denied { write } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:surfaceflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc: denied { use } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:keystore:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc: denied { use } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:healthd:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc: denied { write } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:drmserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc: denied { use } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc: denied { write } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc: denied { write } for pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
Change-Id: I289dcf4b2c5897b7a10e41e5dd8d56ef4b9a4a08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'binderservicedomain.te')
-rw-r--r-- | binderservicedomain.te | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te index 5990301..757d807 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -7,3 +7,7 @@ allow binderservicedomain shell_data_file:file { getattr write }; # Allow dumpsys to work from adb shell allow binderservicedomain devpts:chr_file rw_file_perms; + +# Receive and write to a pipe received over Binder from an app. +allow binderservicedomain appdomain:fd use; +allow binderservicedomain appdomain:fifo_file write; |