diff options
| author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2021-11-17 17:23:30 +0100 |
|---|---|---|
| committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2021-11-17 17:26:43 +0100 |
| commit | 046d4abbad577807820cd1ac0a623684291a95c4 (patch) | |
| tree | 04f32b0a297e67ae83633d4185382082691932e2 | |
| parent | 77c9aad7ff478f580f06656ae2d488554a29a91b (diff) | |
| download | device_samsung_midas_common-046d4abbad577807820cd1ac0a623684291a95c4.tar.gz device_samsung_midas_common-046d4abbad577807820cd1ac0a623684291a95c4.tar.bz2 device_samsung_midas_common-046d4abbad577807820cd1ac0a623684291a95c4.zip | |
selinux: Add bootanim policy
Without that fix, we have the following errors in logcat -b main:
[...] { read } for name="u:object_r:userspace_reboot_exported_prop:s0" dev="tmpfs" ino=159 scontext=u:r:bootanim:s0 tcontext=u:object_r:userspace_reboot_exported_prop:s0 tclass=file permissive=1
[...] { open } for path="/dev/__properties__/u:object_r:userspace_reboot_exported_prop:s0" dev="tmpfs" ino=159 scontext=u:r:bootanim:s0 tcontext=u:object_r:userspace_reboot_exported_prop:s0 tclass=file permissive=1
[...] { getattr } for path="/dev/__properties__/u:object_r:userspace_reboot_exported_prop:s0" dev="tmpfs" ino=159 scontext=u:r:bootanim:s0 tcontext=u:object_r:userspace_reboot_exported_prop:s0 tclass=file permissive=1
[...] { map } for path="/dev/__properties__/u:object_r:userspace_reboot_exported_prop:s0" dev="tmpfs" ino=159 scontext=u:r:bootanim:s0 tcontext=u:object_r:userspace_reboot_exported_prop:s0 tclass=file permissive=1
[...] { read } for name="libglapi.so" dev="mmcblk2p9" ino=3944 scontext=u:r:bootanim:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
[...] { open } for path="/system/vendor/lib/libglapi.so" dev="mmcblk2p9" ino=3944 scontext=u:r:bootanim:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
[...] { getattr } for path="/system/vendor/lib/libglapi.so" dev="mmcblk2p9" ino=3944 scontext=u:r:bootanim:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
[...] { map } for path="/system/vendor/lib/libglapi.so" dev="mmcblk2p9" ino=3944 scontext=u:r:bootanim:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
[...] { execute } for path="/system/vendor/lib/libglapi.so" dev="mmcblk2p9" ino=3944 scontext=u:r:bootanim:s0 tcontext=u:object_r:vendor_file:s0 tclass=file permissive=1
[...] { read } for name="dri" dev="tmpfs" ino=236 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=1
[...] { open } for path="/dev/dri" dev="tmpfs" ino=236 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=1
[...] { getattr } for path="/dev/dri/renderD128" dev="tmpfs" ino=344 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[...] { read } for name="uevent" dev="sysfs" ino=28721 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[...] { open } for path="/sys/devices/platform/exynos-drm/uevent" dev="sysfs" ino=28721 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[...] { getattr } for path="/sys/devices/platform/exynos-drm/uevent" dev="sysfs" ino=28721 scontext=u:r:bootanim:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[...] { read write } for name="renderD128" dev="tmpfs" ino=344 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[...] { open } for path="/dev/dri/renderD128" dev="tmpfs" ino=344 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[...] { ioctl } for path="/dev/dri/renderD128" dev="tmpfs" ino=344 ioctlcmd=0x6400 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[...] { map } for path="/dev/dri/renderD129" dev="tmpfs" ino=271 scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
The bootanim.te content was produced by copying the full
version of these messages to messages.txt and by running
this commant:
adb pull /sys/fs/selinux/policy
cat messages.txt | audit2allow -p policy
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
| -rw-r--r-- | sepolicy/bootanim.te | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..107e96c --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1,5 @@ +allow bootanim device:chr_file { getattr ioctl map open read write }; +allow bootanim device:dir { open read }; +allow bootanim sysfs:file { getattr open read }; +allow bootanim userspace_reboot_exported_prop:file { getattr map open read }; +allow bootanim vendor_file:file { execute getattr map open read }; |