sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
Showing
- private/llkd.te 1 addition, 1 deletionprivate/llkd.te
- private/storaged.te 1 addition, 1 deletionprivate/storaged.te
- private/vold_prepare_subdirs.te 1 addition, 1 deletionprivate/vold_prepare_subdirs.te
- private/zygote.te 1 addition, 1 deletionprivate/zygote.te
- public/dnsmasq.te 1 addition, 1 deletionpublic/dnsmasq.te
- public/domain.te 30 additions, 23 deletionspublic/domain.te
- public/dumpstate.te 1 addition, 1 deletionpublic/dumpstate.te
- public/init.te 1 addition, 1 deletionpublic/init.te
- public/install_recovery.te 1 addition, 1 deletionpublic/install_recovery.te
- public/installd.te 1 addition, 1 deletionpublic/installd.te
- public/lmkd.te 1 addition, 1 deletionpublic/lmkd.te
- public/netd.te 1 addition, 1 deletionpublic/netd.te
- public/perfprofd.te 1 addition, 1 deletionpublic/perfprofd.te
- public/postinstall_dexopt.te 1 addition, 1 deletionpublic/postinstall_dexopt.te
- public/recovery.te 1 addition, 0 deletionspublic/recovery.te
- public/runas.te 1 addition, 1 deletionpublic/runas.te
- public/sdcardd.te 1 addition, 1 deletionpublic/sdcardd.te
- public/ueventd.te 1 addition, 1 deletionpublic/ueventd.te
- public/uncrypt.te 1 addition, 1 deletionpublic/uncrypt.te
- public/vendor_init.te 1 addition, 1 deletionpublic/vendor_init.te
Loading
Please register or sign in to comment