From ea1d6e7dc253a79d666034ddb11df7bfa332b496 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 14 Jun 2017 10:11:12 -0700
Subject: [PATCH] recovery: clean up audit logspam
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3
---
private/domain_deprecated.te | 10 ++++++++++
public/recovery.te | 2 ++
2 files changed, 12 insertions(+)
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 69602c3a1..c4aacb1c1 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@ auditallow {
domain_deprecated
-appdomain
-installd
+ -recovery
-sdcardd
-surfaceflinger
-system_server
@@ -38,6 +39,7 @@ auditallow {
-fsck
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -49,6 +51,7 @@ auditallow {
domain_deprecated
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -61,6 +64,7 @@ auditallow {
-appdomain
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -141,17 +145,20 @@ allow domain_deprecated cache_file:lnk_file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
+ -recovery
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:file { getattr read };
@@ -212,6 +219,7 @@ auditallow {
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -224,6 +232,7 @@ auditallow {
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -236,6 +245,7 @@ auditallow {
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
diff --git a/public/recovery.te b/public/recovery.te
index 99d792cbe..3be1f465b 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@ recovery_only(`
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
@@ -56,6 +57,7 @@ recovery_only(`
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
+ r_dir_file(recovery, sysfs)
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
--
GitLab