summaryrefslogtreecommitdiffstats
path: root/target/board/generic_x86/sepolicy
Commit message (Collapse)AuthorAgeFilesLines
* Allow init to create /mnt/sdcard symlink.dcashman2015-07-011-0/+1
| | | | | | | | Addresses the following denial: avc: denied { create } for pid=1 comm="init" name="sdcard" scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0 Bug: 22084499 Change-Id: Icffef8330d07b00f36fda11374e39e0df7181ca3
* Coalesce generic_x86 and generic sepolicy where possible.Stephen Smalley2014-06-178-18/+0
| | | | | | | | | We originally forked a complete copy of generic/sepolicy into generic_x86/sepolicy, but we can instead inherit from it and merely add rules as needed under generic_x86/sepolicy. Change-Id: I21e1a1425ce08676a8ea69685a4761db3bfde628 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Allow all domains access to /dev/qemu_trace.dcashman2014-06-169-8/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | /dev/qemu_trace is used by memcheck on qemu to get memory allocation events from all processes on the system. Allow all domains to access this device, and other qemu-specific devices. Addresses the following denials: type=1400 audit(1402674828.500:3): avc: denied { read write } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.500:4): avc: denied { open } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:5): avc: denied { read write } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:6): avc: denied { open } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:7): avc: denied { read write } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:8): avc: denied { open } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file Bug: 15570479 Change-Id: I87d0976800557d73064e2da038315b0d019d7a60
* Revert "Allow all domains access to /dev/qemu_trace."dcashman2014-06-169-1/+8
| | | | This reverts commit b1b12f8ad49ecbba7dd6b9db2a0ca8fafa532d82.
* Allow all domains access to /dev/qemu_trace.dcashman2014-06-169-8/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | /dev/qemu_trace is used by memcheck on qemu to get memory allocation events from all processes on the system. Allow all domains to access this device, and other qemu-specific devices.. Addresses the following denials: type=1400 audit(1402674828.500:3): avc: denied { read write } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.500:4): avc: denied { open } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:5): avc: denied { read write } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:6): avc: denied { open } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:7): avc: denied { read write } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:8): avc: denied { open } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file Bug: 15570479 Change-Id: I4999a1eb5c25b4238c53fe1e989bcf5fed1ae355
* Allow qemu_device read-write access to various processesJi-Hwan Lee2014-05-194-0/+4
| | | | | | | | | Basically, allow access of qemu_device where gpu_device is allowed, for the case when the emulator runs with OpenGL/ES emulation. Most noticably, surfaceflinger crashes without qemu_device access. Bug: 15052949 Change-Id: Ib891365a6d503309bced64e2512c4d8f29d9a07e
* Allow shell serial_device read-write accessNick Kralevich2014-03-181-0/+1
| | | | | | | | | | | | When starting the emulator, the system console writes entries to /dev/ttyS2. We need to allow the writes, otherwise this generates denials when you run "emulator -verbose -logcat '*:v' -show-kernel" Addresses the following denial: type=1400 audit(1395076594.320:446): avc: denied { read write } for pid=5600 comm="sh" path="/dev/ttyS2" dev="tmpfs" ino=1487 scontext=u:r:shell:s0 tcontext=u:object_r:serial_device:s0 tclass=chr_file Bug: 13506702 Change-Id: I3729537cabb0bf8e8b2905d3def43a293bb1081f
* Add policy for MIPS emulator, fix x86 policy.Stephen Smalley2014-02-261-0/+2
| | | | | | | | | | | | | | | | | | | | | The qemud and /dev/qemu_pipe policy bits copied to generic and generic_x86 by I620d4aef84a5d4565abb1695db54ce1653612bce are required for generic_mips as well. In testing, we further saw other denials for generic_mips that correspond exactly to what is already allowed in the generic sepolicy, so just inherit the sepolicy files from generic for now. We could do likewise for the generic_x86 sepolicy for the files that are identical with generic if desired, but that is not done by this change. The generic_x86 sepolicy was missing a rule for /sys/qemu_trace moved to the generic sepolicy by the prior change, so fix that omission. The generic*64 variants will need something similar, either by inheriting from one of the existing sepolicy directories as in the MIPS case or by forking their own copies as in the x86 case. Change-Id: Iec7c8825734a3f96f7db8ae1d10dce1f30b22bdf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.Stephen Smalley2014-02-258-0/+18
| | | | | Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Add policy for x86 emulator.Stephen Smalley2013-12-205-0/+6
generated by cgit v1.1 at 2025-01-30 13:56:33 +0000