Skip to content
Snippets Groups Projects
  • Benjamin Gordon's avatar
    sepolicy: grant dac_read_search to domains with dac_override · 342362ae
    Benjamin Gordon authored
    kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
    of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
    dac_override and dac_read_search checks.  Domains that have dac_override
    will now generate spurious denials for dac_read_search unless they also
    have that permission.  Since dac_override is a strict superset of
    dac_read_search, grant dac_read_search to all domains that already have
    dac_override to get rid of the denials.
    
    Bug: 114280985
    Bug: crbug.com/877588
    Test: Booted on a device running 4.14.
    Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
    342362ae