diff options
| author | Nick Kralevich <nnk@google.com> | 2017-02-15 15:04:43 -0800 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2017-07-17 23:16:46 +0200 |
| commit | ae28752d5bc428d65ff5e0d26c83626e7a744b6d (patch) | |
| tree | 08269eb2f04909c4231632f5a8b813a0df4addea /racoon.te | |
| parent | e7cd3302ee34a21ebc434089a80e0c3e5f75f7c4 (diff) | |
| download | android_external_sepolicy-cm-13.0.tar.gz android_external_sepolicy-cm-13.0.tar.bz2 android_external_sepolicy-cm-13.0.zip | |
system_server: replace sys_resource with sys_ptraceHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004replicant-6.0-0003cm-13.0
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.
Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 448669540c0b7c22ee8b8293217818f8f92238b6)
(cherry picked from commit c15810c527ffa6953108f68365cf2df9e0868096)
Diffstat (limited to 'racoon.te')
0 files changed, 0 insertions, 0 deletions