Create sysfs_zram label.
Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
This commit is contained in:
parent
1e5b7a1962
commit
36f255ff52
2
file.te
2
file.te
@ -30,6 +30,8 @@ type sysfs_mac_address, fs_type, sysfs_type;
|
||||
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
||||
# /sys/module/lowmemorykiller
|
||||
type sysfs_lowmemorykiller, fs_type, sysfs_type;
|
||||
type sysfs_zram, fs_type, sysfs_type;
|
||||
type sysfs_zram_uevent, fs_type, sysfs_type;
|
||||
type inotify, fs_type, mlstrustedobject;
|
||||
type devpts, fs_type, mlstrustedobject;
|
||||
type tmpfs, fs_type;
|
||||
|
@ -322,6 +322,8 @@
|
||||
#
|
||||
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
|
||||
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
|
||||
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
|
||||
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
|
||||
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
|
||||
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
|
||||
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
|
||||
|
3
init.te
3
init.te
@ -157,6 +157,9 @@ allow init self:capability sys_boot;
|
||||
allow init sysfs_type:dir r_dir_perms;
|
||||
allow init sysfs_type:file w_file_perms;
|
||||
|
||||
# disksize
|
||||
allow init sysfs_zram:file getattr;
|
||||
|
||||
# Transitions to seclabel processes in init.rc
|
||||
domain_trans(init, rootfs, adbd)
|
||||
domain_trans(init, rootfs, healthd)
|
||||
|
@ -68,6 +68,10 @@ allow priv_app exec_type:file getattr;
|
||||
allow priv_app vold:fd use;
|
||||
allow priv_app fuse_device:chr_file { read write };
|
||||
|
||||
# /sys access
|
||||
allow priv_app sysfs_zram:dir search;
|
||||
allow priv_app sysfs_zram:file r_file_perms;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
@ -73,4 +73,8 @@ allow system_app keystore:keystore_key {
|
||||
user_changed
|
||||
};
|
||||
|
||||
# /sys access
|
||||
allow system_app sysfs_zram:dir search;
|
||||
allow system_app sysfs_zram:file r_file_perms;
|
||||
|
||||
control_logd(system_app)
|
||||
|
@ -369,6 +369,10 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
|
||||
allow system_server pstorefs:dir r_dir_perms;
|
||||
allow system_server pstorefs:file r_file_perms;
|
||||
|
||||
# /sys access
|
||||
allow system_server sysfs_zram:dir search;
|
||||
allow system_server sysfs_zram:file r_file_perms;
|
||||
|
||||
allow system_server drmserver_service:service_manager find;
|
||||
allow system_server healthd_service:service_manager find;
|
||||
allow system_server keystore_service:service_manager find;
|
||||
|
@ -14,6 +14,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
|
||||
allow ueventd device:file create_file_perms;
|
||||
allow ueventd device:chr_file rw_file_perms;
|
||||
allow ueventd sysfs:file rw_file_perms;
|
||||
allow ueventd sysfs_zram_uevent:file w_file_perms;
|
||||
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
|
||||
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
|
||||
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
|
||||
|
4
vold.te
4
vold.te
@ -167,6 +167,10 @@ allow vold storage_file:dir mounton;
|
||||
# For AppFuse.
|
||||
allow vold fuse_device:chr_file rw_file_perms;
|
||||
|
||||
# coldboot of /sys/block
|
||||
allow vold sysfs_zram:dir r_dir_perms;
|
||||
allow vold sysfs_zram_uevent:file rw_file_perms;
|
||||
|
||||
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
||||
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
||||
neverallow { domain -vold -init } vold_data_file:dir *;
|
||||
|
Loading…
Reference in New Issue
Block a user