Remove logspam
Grant observed uses of permissions being audited in domain_deprecated.
fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir
sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file
update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir
vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a732332..96f32b9 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -17,7 +17,19 @@
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -fsck
+ -healthd
+ -init
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
@@ -30,9 +42,12 @@
-fingerprintd
-init
-installd
+ -keystore
-rild
-surfaceflinger
-system_server
+ -update_engine
+ -vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
auditallow {
@@ -81,7 +96,17 @@
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -init
+ -rild
+ -sdcardd
+ -system_server
+ -update_engine
+ -vold
+} proc:file r_file_perms;
auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index bdbbd33..2f0a838 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -24,6 +24,7 @@
allow fsck swap_block_device:blk_file getattr;
r_dir_file(fsck, proc)
+allow fsck rootfs:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/keystore.te b/public/keystore.te
index 4dd65eb..ec6d192 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -25,6 +25,7 @@
allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
+allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6813aa6..3cb69be 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -31,6 +31,9 @@
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
+# access /proc/filesystems
+allow sdcardd proc:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 29581dd..9409947 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -32,3 +32,8 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop };
+# access /proc/misc
+allow update_engine proc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index dc8ca41..0e4eddc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,6 +27,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
+allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;