PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0f1b1f353b
android_system_sepolicy/slideshow.te
Nick Kralevich 31d88a704e Allow /dev/klog access, drop mknod and __null__ access 
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972c1)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-23 16:47:49 +00:00

15 lines
549 B
Plaintext
Raw Blame History

# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type slideshow, domain;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
allow slideshow self:capability sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
allow slideshow input_device:chr_file r_file_perms;
allow slideshow tty_device:chr_file rw_file_perms;
Reference in New Issue View Git Blame Copy Permalink