Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c59eb4d8533ffddc6615c05357335319f233140b^! / . / private / system_server.te
commitc59eb4d8533ffddc6615c05357335319f233140b[log] [tgz]
authorTom Cherry <tomcherry@google.com>Tue Jun 13 14:49:17 2017 -0700
committerTom Cherry <tomcherry@google.com>Tue Jun 13 15:23:01 2017 -0700
treef0057f487a8fe2ea5fdca057591be7fcb477aa38
parent06486796a4e818d782ea1f2f20cfc8ddf6bf724c [diff] [blame]
Add getpgid to system_service and init

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570

diff --git a/private/system_server.te b/private/system_server.te
index 849ce0a..7b95600 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -95,7 +95,7 @@
 allow system_server self:netlink_route_socket nlmsg_write;
 
 # Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server appdomain:process { getpgid sigkill signal };
 
 # Set scheduling info for apps.
 allow system_server appdomain:process { getsched setsched };