mirror of
https://github.com/Evolution-X-Devices/device_google_walleye
synced 2026-01-27 15:51:28 +00:00
e15c33e473
Starting off by adding in allow rules for per_mgr, it was clear that
per_proxy was lumped in as a per_mgr_exec class, though looking at
marlin it was shown that the two had been separated. In keeping with
convention, per_proxy was also split out into its own class and .te
file. This policy change was motivated by the following sedenials on
per_mgr
avc: denied { read } for pid=625 comm="pm-service"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=socket
avc: denied { transfer } for pid=654 comm="pm-proxy"
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=binder
avc: denied { read } for pid=654 comm="pm-proxy" name="name" dev="sysfs"
ino=32744 scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs:s0
tclass=file
avc: denied { read } for pid=623 comm="Binder:604_1" name="subsys_modem"
dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
avc: denied { open } for pid=623 comm="Binder:604_1"
path="/dev/subsys_modem" dev="tmpfs" ino=20191 scontext=u:r:per_mgr:s0
tcontext=u:object_r:ssr_device:s0 tclass=chr_file
Bug: 34784662
Test: The above denials are cleaned up in the boot logs
Change-Id: I4929c870f860c2e0fa7ea1d7412f960923fea602
12 lines
276 B
Plaintext
12 lines
276 B
Plaintext
# Policy for /system/bin/pm-proxy
|
|
type per_proxy, domain;
|
|
type per_proxy_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(per_proxy)
|
|
|
|
allow per_proxy per_mgr_service:service_manager find;
|
|
r_dir_file(per_proxy, sysfs_type)
|
|
|
|
binder_use(per_proxy)
|
|
binder_call(per_proxy, per_mgr)
|