diff options
| author | Nick Kralevich <nnk@google.com> | 2015-06-06 07:42:37 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-06-08 10:29:11 -0700 |
| commit | e2651972c13a2aa3f930f5c39d81d41177387bf0 (patch) | |
| tree | 7ad23202e4820abe01677040bc1618aa3166646f /slideshow.te | |
| parent | dc496c2bfb5fe53c86d317ed041836f5262802cf (diff) | |
| download | android_external_sepolicy-e2651972c13a2aa3f930f5c39d81d41177387bf0.tar.gz android_external_sepolicy-e2651972c13a2aa3f930f5c39d81d41177387bf0.tar.bz2 android_external_sepolicy-e2651972c13a2aa3f930f5c39d81d41177387bf0.zip | |
Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
Diffstat (limited to 'slideshow.te')
| -rw-r--r-- | slideshow.te | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/slideshow.te b/slideshow.te index 2b82b3e..86d4bff 100644 --- a/slideshow.te +++ b/slideshow.te @@ -2,10 +2,10 @@ # it lives in the rootfs and has no unique file type. type slideshow, domain; -write_klog(slideshow) +allow slideshow kmsg_device:chr_file rw_file_perms; wakelock_use(slideshow) allow slideshow device:dir r_dir_perms; -allow slideshow self:capability { mknod sys_tty_config }; +allow slideshow self:capability sys_tty_config; allow slideshow graphics_device:dir r_dir_perms; allow slideshow graphics_device:chr_file rw_file_perms; allow slideshow input_device:dir r_dir_perms; |