Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5a234338c1974ac7110518c436051b1b6724085d
commit5a234338c1974ac7110518c436051b1b6724085d[log] [tgz]
authorBowgo Tsai <bowgotsai@google.com>Tue Apr 23 11:40:01 2019 +0800
committerBowgo Tsai <bowgotsai@google.com>Tue Apr 23 06:40:10 2019 +0000
treeb58c7745ae95909659327de05c8e1b7e6cfda352
parent40a71c6f7b0828cea0b659e44b0538d2a5383b11 [diff]
Fix denial of /debug_ramdisk/adb_debug.prop

This CL fix the following SELinux denial, by allowing init to getatter
for tmpfs:file.

audit: type=1400 audit(15464939.926:4): avc:  denied  { getattr } for
pid=1 comm="init" path="/debug_ramdisk/adb_debug.prop" dev="tmpfs"
ino=25480 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=file
permissive=0

Note: the current sepolicy (before this change) has the following rules
for tmpfs:file:

$ sesearch --allow -t tmpfs -c file $OUT/vendor/etc/selinux/precompiled_sepolicy
  allow dex2oat tmpfs:file { read map getattr };
  allow init tmpfs:file { read unlink open setattr };
  allow postinstall_dexopt tmpfs:file read;
  allow profman tmpfs:file { read map };
  allow vendor_init tmpfs:file { read map open setattr };

Bug: 126493225
Test: boot a device with debug ramdisk, checks related files are loaded
Change-Id: I6dd356de989d597828a6e04846b793d611c477fa
1 file changed
tree: b58c7745ae95909659327de05c8e1b7e6cfda352
  1. apex/
  2. build/
  3. prebuilts/
  4. private/
  5. public/
  6. reqd_mask/
  7. tests/
  8. tools/
  9. vendor/
  10. .gitignore
  11. Android.bp
  12. Android.mk
  13. CleanSpec.mk
  14. definitions.mk
  15. file_contexts.mk
  16. hwservice_contexts.mk
  17. mac_permissions.mk
  18. MODULE_LICENSE_PUBLIC_DOMAIN
  19. NOTICE
  20. OWNERS
  21. policy_version.mk
  22. PREUPLOAD.cfg
  23. property_contexts.mk
  24. README
  25. seapp_contexts.mk
  26. service_contexts.mk
  27. treble_sepolicy_tests_for_release.mk