Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d6c5ff5f726a9e8fc2ebb64ecbd547245312cf5e^! / . / private
commitd6c5ff5f726a9e8fc2ebb64ecbd547245312cf5e[log] [tgz]
authorTri Vo <trong@google.com>Wed Mar 13 12:06:01 2019 -0700
committerTri Vo <trong@google.com>Wed Mar 13 23:47:25 2019 +0000
tree36498857572cb36a7e2018c6a000c5dc286f0ebd
parent058f7f4add88a624e740c07992cee9dad7c73f2a [diff]
Allow global read access to /sys/kernel/mm/transparent_hugepage/

If kernel is built with CONFIG_TRANSPARENT_HUGEPAGE optimization,
libjemalloc5 will attempt to read
/sys/kernel/mm/transparent_hugepage/enabled and hit an SELinux denial.

Various denials similiar to the following are seen on cuttlefish:
avc: denied { open } for comm="surfaceflinger"
path="/sys/kernel/mm/transparent_hugepage/enabled" dev="sysfs" ino=776
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
permissive=1

Bug: 28053261
Test: boot cuttlefish without above denials.
Change-Id: Ic33f12d31aacc42d662a8c5c297fbb5f84d4deea

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 77c215c..ac3ab2a 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil

@@ -1543,7 +1543,8 @@
   ( sysfs
     sysfs_devices_block
     sysfs_extcon
-    sysfs_loop))
+    sysfs_loop
+    sysfs_transparent_hugepage))
 (typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 070559f..20ec084 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -133,6 +133,7 @@
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0

diff --git a/private/isolated_app.te b/private/isolated_app.te
index b7c812b..94b49b0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -127,6 +127,7 @@
 neverallow isolated_app {
   sysfs_type
   -sysfs_devices_system_cpu
+  -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
 }:file no_rw_file_perms;