domain_deprecated: remove tmpfs dir access
Address "granted" audit messages for dumpstate use of df. avc: granted { getattr } for comm="df" path="/mnt" dev="tmpfs" scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir avc: granted { search } for comm="df" name="/" dev="tmpfs" scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Bug: 28760354 Test: Build, check logs. Change-Id: I920948a5f0bce1b4bd2f15779730df8b3b1fea5a
This commit is contained in:
parent
a92d313561
commit
ca5bb3371d
@ -1,21 +1,5 @@
|
||||
# rules removed from the domain attribute
|
||||
|
||||
# Search /storage/emulated tmpfs mount.
|
||||
allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
|
||||
userdebug_or_eng(`
|
||||
auditallow {
|
||||
domain_deprecated
|
||||
-appdomain
|
||||
-installd
|
||||
-recovery
|
||||
-sdcardd
|
||||
-surfaceflinger
|
||||
-system_server
|
||||
-vold
|
||||
-zygote
|
||||
} tmpfs:dir r_dir_perms;
|
||||
')
|
||||
|
||||
# Root fs.
|
||||
allow domain_deprecated rootfs:dir r_dir_perms;
|
||||
allow domain_deprecated rootfs:file r_file_perms;
|
||||
|
@ -82,7 +82,7 @@ allow dumpstate sysfs_usb:file w_file_perms;
|
||||
allow dumpstate qtaguid_proc:file r_file_perms;
|
||||
allow dumpstate debugfs:file r_file_perms;
|
||||
# df for /storage/emulated needs search
|
||||
allow dumpstate { storage_file block_device }:dir { search getattr };
|
||||
allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
|
||||
allow dumpstate fuse_device:chr_file getattr;
|
||||
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user