sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

commit: 342362ae3e1afa577a73dc7f154a9de7da96edc4 [log] [tgz]
author: Benjamin Gordon <bmgordon@google.com> Thu Sep 06 16:19:40 2018 -0600
committer: Benjamin Gordon <bmgordon@google.com> Wed Sep 19 15:54:37 2018 -0600
tree: 42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent: 51dc7cb1d411215a7361feebfeaf1f976ce6cf30 [diff] [blame]
diff --git a/private/storaged.te b/private/storaged.te
index b7321fd..8f70531 100644
--- a/private/storaged.te
+++ b/private/storaged.te

@@ -48,7 +48,7 @@
 
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
 
 # For collecting bugreports.
 allow storaged dumpstate:fifo_file write;
commit	342362ae3e1afa577a73dc7f154a9de7da96edc4	[log] [tgz]
author	Benjamin Gordon <bmgordon@google.com>	Thu Sep 06 16:19:40 2018 -0600
committer	Benjamin Gordon <bmgordon@google.com>	Wed Sep 19 15:54:37 2018 -0600
tree	42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent	51dc7cb1d411215a7361feebfeaf1f976ce6cf30 [diff] [blame]