diff options
author | Joel Galenson | 2018-01-24 15:56:28 -0600 |
---|---|---|
committer | Joel Galenson | 2018-01-25 12:07:19 -0600 |
commit | b050dccdd86bed1e9de9be2ebf9222d7032eb221 (patch) | |
tree | e37ddf7e3a9b455ffe5f5ad9a404dde60a0a1f33 | |
parent | 715c3a78d29c9b2c026e77f82f9895d87e8801a8 (diff) | |
download | system-sepolicy-b050dccdd86bed1e9de9be2ebf9222d7032eb221.tar.gz system-sepolicy-b050dccdd86bed1e9de9be2ebf9222d7032eb221.tar.xz system-sepolicy-b050dccdd86bed1e9de9be2ebf9222d7032eb221.zip |
Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:
avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file
This commit suppresses that exact denial.
We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.
Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
-rw-r--r-- | private/bug_map | 1 | ||||
-rw-r--r-- | public/idmap.te | 3 |
2 files changed, 3 insertions, 1 deletions
diff --git a/private/bug_map b/private/bug_map index 6bc55e5b..2b970dd6 100644 --- a/private/bug_map +++ b/private/bug_map | |||
@@ -9,4 +9,3 @@ hal_graphics_allocator_default unlabeled dir 70180742 | |||
9 | surfaceflinger unlabeled dir 68864350 | 9 | surfaceflinger unlabeled dir 68864350 |
10 | hal_graphics_composer_default unlabeled dir 68864350 | 10 | hal_graphics_composer_default unlabeled dir 68864350 |
11 | bootanim unlabeled dir 68864350 | 11 | bootanim unlabeled dir 68864350 |
12 | idmap installd file 72444813 | ||
diff --git a/public/idmap.te b/public/idmap.te index 1c32f8fd..3f336a32 100644 --- a/public/idmap.te +++ b/public/idmap.te | |||
@@ -6,6 +6,9 @@ type idmap_exec, exec_type, file_type; | |||
6 | allow idmap installd:fd use; | 6 | allow idmap installd:fd use; |
7 | allow idmap resourcecache_data_file:file { getattr read write }; | 7 | allow idmap resourcecache_data_file:file { getattr read write }; |
8 | 8 | ||
9 | # Ignore reading /proc/<pid>/maps after a fork. | ||
10 | dontaudit idmap installd:file read; | ||
11 | |||
9 | # Open and read from target and overlay apk files passed by argument. | 12 | # Open and read from target and overlay apk files passed by argument. |
10 | allow idmap apk_data_file:file r_file_perms; | 13 | allow idmap apk_data_file:file r_file_perms; |
11 | allow idmap apk_data_file:dir search; | 14 | allow idmap apk_data_file:dir search; |