diff options
| author | dcashman <dcashman@google.com> | 2014-06-16 14:17:05 -0700 |
|---|---|---|
| committer | dcashman <dcashman@google.com> | 2014-06-16 14:17:05 -0700 |
| commit | 38a261a82b671dadd370ae0ebdc3de36013de05d (patch) | |
| tree | 7b9738f2fcffee950d0438620675f257bd5ecd58 /target/board/generic/sepolicy | |
| parent | 357842b109db31c85aebb8d1c9f70885fe1cb07c (diff) | |
| download | build-38a261a82b671dadd370ae0ebdc3de36013de05d.zip build-38a261a82b671dadd370ae0ebdc3de36013de05d.tar.gz build-38a261a82b671dadd370ae0ebdc3de36013de05d.tar.bz2 | |
Allow all domains access to /dev/qemu_trace.
/dev/qemu_trace is used by memcheck on qemu to get memory allocation events
from all processes on the system. Allow all domains to access this device, and
other qemu-specific devices.
Addresses the following denials:
type=1400 audit(1402674828.500:3): avc: denied { read write } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.500:4): avc: denied { open } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:5): avc: denied { read write } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.520:6): avc: denied { open } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:7): avc: denied { read write } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674828.610:8): avc: denied { open } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file
Bug: 15570479
Change-Id: I87d0976800557d73064e2da038315b0d019d7a60
Diffstat (limited to 'target/board/generic/sepolicy')
| -rw-r--r-- | target/board/generic/sepolicy/adbd.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/app.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/bootanim.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/domain.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/mediaserver.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/rild.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/surfaceflinger.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/system_server.te | 1 | ||||
| -rw-r--r-- | target/board/generic/sepolicy/zygote.te | 1 |
9 files changed, 1 insertions, 8 deletions
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te deleted file mode 100644 index f65cfb3..0000000 --- a/target/board/generic/sepolicy/adbd.te +++ /dev/null @@ -1 +0,0 @@ -allow adbd qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/app.te b/target/board/generic/sepolicy/app.te deleted file mode 100644 index fd33453..0000000 --- a/target/board/generic/sepolicy/app.te +++ /dev/null @@ -1 +0,0 @@ -allow appdomain qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te index a5a84f9..d6506e1 100644 --- a/target/board/generic/sepolicy/bootanim.te +++ b/target/board/generic/sepolicy/bootanim.te @@ -1,3 +1,2 @@ allow bootanim self:process execmem; allow bootanim ashmem_device:chr_file execute; -allow bootanim qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te index f026100..c28ca74 100644 --- a/target/board/generic/sepolicy/domain.te +++ b/target/board/generic/sepolicy/domain.te @@ -1,2 +1,3 @@ # For /sys/qemu_trace files in the emulator. allow domain sysfs_writable:file rw_file_perms; +allow domain qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/mediaserver.te b/target/board/generic/sepolicy/mediaserver.te deleted file mode 100644 index 90b8cf8..0000000 --- a/target/board/generic/sepolicy/mediaserver.te +++ /dev/null @@ -1 +0,0 @@ -allow mediaserver qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te index 5de171a..e148b6c 100644 --- a/target/board/generic/sepolicy/rild.te +++ b/target/board/generic/sepolicy/rild.te @@ -1,2 +1 @@ -allow rild qemu_device:chr_file rw_file_perms; unix_socket_connect(rild, qemud, qemud) diff --git a/target/board/generic/sepolicy/surfaceflinger.te b/target/board/generic/sepolicy/surfaceflinger.te index 6712789..4c35469 100644 --- a/target/board/generic/sepolicy/surfaceflinger.te +++ b/target/board/generic/sepolicy/surfaceflinger.te @@ -1,3 +1,2 @@ allow surfaceflinger self:process execmem; allow surfaceflinger ashmem_device:chr_file execute; -allow surfaceflinger qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te index ef4ce4a..d0fb79d 100644 --- a/target/board/generic/sepolicy/system_server.te +++ b/target/board/generic/sepolicy/system_server.te @@ -1,2 +1 @@ unix_socket_connect(system_server, qemud, qemud) -allow system_server qemu_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te deleted file mode 100644 index a5da574..0000000 --- a/target/board/generic/sepolicy/zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow zygote qemu_device:chr_file rw_file_perms; |