Drop dontaudit sys_admin rule from installd.
Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29) fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup subsystem did not define its own can_attach handler. This doesn't appear to have ever been the case of mainline, and is not true of the 3.4 Android kernels. So we no longer need to dontaudit sys_admin to avoid log noise. Change-Id: I3822600a06c242764a94f9b67d9fcd6f599d3453 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
1cb990de6d
commit
016e636539
@ -16,7 +16,6 @@ allow installd apk_data_file:file r_file_perms;
|
||||
allow installd apk_tmp_file:file r_file_perms;
|
||||
allow installd system_file:file x_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
dontaudit installd self:capability sys_admin;
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
# Read /seapp_contexts and /data/security/seapp_contexts
|
||||
|
Loading…
Reference in New Issue
Block a user