5d89abde99
These denials occur on boot when android_get_control_file also
changes from readlink() to realpath(), because realpath() will
lstat() the given path.
Some other domains (fastbootd, update_engine, etc.) also uses
libcutils to write to kernel log, where android_get_control_file()
is invoked, hence getattr is added to them as well.
04-28 06:15:22.290 618 618 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
03-20 19:52:23.431 900 900 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
...
03-20 22:40:42.316 1 1 W init : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
Test: no denials related to these
Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
21 lines
573 B
Plaintext
21 lines
573 B
Plaintext
# vdc spawned from init for the following services:
|
|
# defaultcrypto
|
|
# encrypt
|
|
#
|
|
# We also transition into this domain from dumpstate, when
|
|
# collecting bug reports.
|
|
|
|
type vdc, domain;
|
|
type vdc_exec, system_file_type, exec_type, file_type;
|
|
|
|
# vdc can be invoked with logwrapper, so let it write to pty
|
|
allow vdc devpts:chr_file rw_file_perms;
|
|
|
|
# vdc writes directly to kmsg during the boot process
|
|
allow vdc kmsg_device:chr_file { getattr w_file_perms };
|
|
|
|
# vdc talks to vold over Binder
|
|
binder_use(vdc)
|
|
binder_call(vdc, vold)
|
|
allow vdc vold_service:service_manager find;
|