Allow all domains access to /dev/qemu_trace.
/dev/qemu_trace is used by memcheck on qemu to get memory allocation events from all processes on the system. Allow all domains to access this device, and other qemu-specific devices.. Addresses the following denials: type=1400 audit(1402674828.500:3): avc: denied { read write } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.500:4): avc: denied { open } for pid=44 comm="servicemanager" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:servicemanager:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:5): avc: denied { read write } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.520:6): avc: denied { open } for pid=42 comm="logd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:logd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:7): avc: denied { read write } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674828.610:8): avc: denied { open } for pid=48 comm="debuggerd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:debuggerd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:9): avc: denied { read write } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.000:10): avc: denied { open } for pid=47 comm="netd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.180:11): avc: denied { read write } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:12): avc: denied { read write } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:13): avc: denied { open } for pid=53 comm="installd" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:installd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.200:14): avc: denied { open } for pid=45 comm="vold" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:vold:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:15): avc: denied { read write } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674829.280:16): avc: denied { open } for pid=54 comm="keystore" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:keystore:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:17): avc: denied { read write } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674830.580:18): avc: denied { open } for pid=51 comm="drmserver" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:drmserver:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.860:22): avc: denied { read write } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file type=1400 audit(1402674930.870:23): avc: denied { open } for pid=655 comm="iptables" name="qemu_trace" dev="tmpfs" ino=1494 scontext=u:r:netd:s0 tcontext=u:object_r:qemu_device:s0 tclass=chr_file Bug: 15570479 Change-Id: I4999a1eb5c25b4238c53fe1e989bcf5fed1ae355
This commit is contained in:
parent
c80e876cd2
commit
b1b12f8ad4
|
@ -77,17 +77,13 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
|||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_UNION += \
|
||||
adbd.te \
|
||||
app.te \
|
||||
bootanim.te \
|
||||
device.te \
|
||||
domain.te \
|
||||
file.te \
|
||||
file_contexts \
|
||||
mediaserver.te \
|
||||
qemud.te \
|
||||
rild.te \
|
||||
shell.te \
|
||||
surfaceflinger.te \
|
||||
system_server.te \
|
||||
zygote.te
|
||||
system_server.te
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow adbd qemu_device:chr_file rw_file_perms;
|
|
@ -1 +0,0 @@
|
|||
allow appdomain qemu_device:chr_file rw_file_perms;
|
|
@ -1,3 +1,2 @@
|
|||
allow bootanim self:process execmem;
|
||||
allow bootanim ashmem_device:chr_file execute;
|
||||
allow bootanim qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
# For /sys/qemu_trace files in the emulator.
|
||||
allow domain sysfs_writable:file rw_file_perms;
|
||||
allow domain qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow mediaserver qemu_device:chr_file rw_file_perms;
|
|
@ -1,2 +1 @@
|
|||
allow rild qemu_device:chr_file rw_file_perms;
|
||||
unix_socket_connect(rild, qemud, qemud)
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
allow surfaceflinger self:process execmem;
|
||||
allow surfaceflinger ashmem_device:chr_file execute;
|
||||
allow surfaceflinger qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
unix_socket_connect(system_server, qemud, qemud)
|
||||
allow system_server qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow zygote qemu_device:chr_file rw_file_perms;
|
|
@ -59,13 +59,11 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
|||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
|
||||
BOARD_SEPOLICY_UNION += \
|
||||
adbd.te \
|
||||
bootanim.te \
|
||||
device.te \
|
||||
domain.te \
|
||||
file.te \
|
||||
file_contexts \
|
||||
mediaserver.te \
|
||||
qemud.te \
|
||||
rild.te \
|
||||
shell.te \
|
||||
|
|
|
@ -44,8 +44,6 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
|
|||
|
||||
BOARD_SEPOLICY_DIRS += build/target/board/generic_x86/sepolicy
|
||||
BOARD_SEPOLICY_UNION += \
|
||||
app.te \
|
||||
adbd.te \
|
||||
bootanim.te \
|
||||
device.te \
|
||||
domain.te \
|
||||
|
@ -53,10 +51,8 @@ BOARD_SEPOLICY_UNION += \
|
|||
file_contexts \
|
||||
healthd.te \
|
||||
installd.te \
|
||||
mediaserver.te \
|
||||
qemud.te \
|
||||
rild.te \
|
||||
shell.te \
|
||||
surfaceflinger.te \
|
||||
system_server.te \
|
||||
zygote.te
|
||||
system_server.te
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow adbd qemu_device:chr_file rw_file_perms;
|
|
@ -1 +0,0 @@
|
|||
allow appdomain qemu_device:chr_file rw_file_perms;
|
|
@ -1 +0,0 @@
|
|||
allow bootanim qemu_device:chr_file rw_file_perms;
|
|
@ -1,3 +1,4 @@
|
|||
# For /sys/qemu_trace files in the emulator.
|
||||
allow domain sysfs_writable:file rw_file_perms;
|
||||
allow domain cpuctl_device:dir search;
|
||||
allow domain qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow mediaserver qemu_device:chr_file rw_file_perms;
|
|
@ -1,2 +1 @@
|
|||
allow rild qemu_device:chr_file rw_file_perms;
|
||||
unix_socket_connect(rild, qemud, qemud)
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
allow surfaceflinger qemu_device:chr_file rw_file_perms;
|
|
@ -1,3 +1,2 @@
|
|||
allow system_server self:process execmem;
|
||||
unix_socket_connect(system_server, qemud, qemud)
|
||||
allow system_server qemu_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
allow zygote self:process execmem;
|
||||
allow zygote self:capability sys_nice;
|
||||
allow zygote qemu_device:chr_file rw_file_perms;
|
||||
|
|
Loading…
Reference in New Issue