e15af041dd
After switching aocxd to stable AIDL, we encountered some permissions
issues associated with dumpstate:
dumpstate: type=1400 audit(0.0:548): avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:aocxd:s0 tclass=binder permissive=0
dumpstate: type=1400 audit(0.0:17): avc: denied { use } for path="pipe:[214567]" dev="pipefs" ino=214567 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0
dumpstate: type=1400 audit(0.0:15): avc: denied { write } for path="pipe:[212933]" dev="pipefs" ino=212933 scontext=u:r:aocxd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=0
TEST:
make selinux_policy -j128
adb push $ANDROID_PRODUCT_OUT/vendor/etc/selinux/* /vendor/etc/selinux
adb reboot
adb root
adb bugreport
BUG: 347156752
Change-Id: I188263ee9b186736a48fd3a0cfa83745e2e54108
32 lines
704 B
Plaintext
32 lines
704 B
Plaintext
# aocxd server domain
|
|
type aocxd, domain;
|
|
type aocxd_exec, vendor_file_type, exec_type, file_type;
|
|
init_daemon_domain(aocxd)
|
|
|
|
# sysfs operations
|
|
allow aocxd sysfs_aoc:dir search;
|
|
|
|
# dev operations
|
|
allow aocxd aoc_device:chr_file rw_file_perms;
|
|
|
|
# allow inotify to watch for additions/removals from /dev
|
|
allow aocxd device:dir r_dir_perms;
|
|
|
|
# set properties
|
|
set_prop(aocxd, vendor_aoc_prop);
|
|
|
|
# allow binder access
|
|
vndbinder_use(aocxd);
|
|
|
|
# allow managing wakelocks
|
|
wakelock_use(aocxd);
|
|
|
|
# add aocx service to the domain
|
|
add_service(aocxd, aocx);
|
|
|
|
# allow managing thread priority
|
|
allow aocxd self:global_capability_class_set sys_nice;
|
|
|
|
allow aocxd dumpstate:fd use;
|
|
allow aocxd dumpstate:fifo_file write;
|