From 4075287498706dcd322b52de4f85692bb35c3c32 Mon Sep 17 00:00:00 2001 From: Rick Yiu Date: Thu, 25 Nov 2021 21:54:47 +0800 Subject: [PATCH] gs101-sepolicy: Fix avc denials Fix below and other potential denials 11-21 10:10:43.984 3417 3417 I auditd : type=1400 audit(0.0:4): avc: denied { write } for comm=4173796E635461736B202332 path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.pixel.setupwizard 11-21 10:10:44.840 3976 3976 I auditd : type=1400 audit(0.0:10): avc: denied { write } for comm="StallDetector-1" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:untrusted_app_30:s0:c170,c256,c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.inputmethod.latin 11-21 18:10:51.280 5595 5595 I auditd : type=1400 audit(0.0:102): avc: denied { write } for comm="SharedPreferenc" path="/sys/kernel/vendor_sched/set_task_group_fg" dev="sysfs" ino=44511 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:sysfs_vendor_sched:s0 tclass=file permissive=0 app=com.google.android.gms Bug: 206970384 Test: make selinux_policy pass Change-Id: I7c981ef0516dc5be93ec825768de57c15786b4bd --- private/gmscore_app.te | 1 + private/priv_app.te | 1 + whitechapel/vendor/google/logger_app.te | 1 + whitechapel/vendor/google/mediaprovider.te | 1 + whitechapel/vendor/google/shell.te | 1 + whitechapel/vendor/google/untrusted_app_all.te | 1 + 6 files changed, 6 insertions(+) diff --git a/private/gmscore_app.te b/private/gmscore_app.te index fa20f247..3968de30 100644 --- a/private/gmscore_app.te +++ b/private/gmscore_app.te @@ -1,2 +1,3 @@ # b/177389198 dontaudit gmscore_app adbd_prop:file *; +dontaudit gmscore_app sysfs_vendor_sched:file write; diff --git a/private/priv_app.te b/private/priv_app.te index 2ef1f969..de2a4f28 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -17,3 +17,4 @@ dontaudit priv_app ab_update_gki_prop:file { getattr }; dontaudit priv_app ab_update_gki_prop:file { map }; dontaudit priv_app adbd_prop:file { open }; dontaudit priv_app adbd_prop:file { getattr }; +dontaudit priv_app sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te index 8c8f5197..d091cff0 100644 --- a/whitechapel/vendor/google/logger_app.te +++ b/whitechapel/vendor/google/logger_app.te @@ -25,4 +25,5 @@ userdebug_or_eng(` dontaudit logger_app default_prop:file { read }; dontaudit logger_app sysfs_vendor_sched:dir search; + dontaudit logger_app sysfs_vendor_sched:file write; ') diff --git a/whitechapel/vendor/google/mediaprovider.te b/whitechapel/vendor/google/mediaprovider.te index a1b629f8..835593fc 100644 --- a/whitechapel/vendor/google/mediaprovider.te +++ b/whitechapel/vendor/google/mediaprovider.te @@ -1 +1,2 @@ dontaudit mediaprovider sysfs_vendor_sched:dir search; +dontaudit mediaprovider sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te index aa4dfa44..abc2f2cc 100644 --- a/whitechapel/vendor/google/shell.te +++ b/whitechapel/vendor/google/shell.te @@ -7,3 +7,4 @@ userdebug_or_eng(` ') dontaudit shell sysfs_vendor_sched:dir search; +dontaudit shell sysfs_vendor_sched:file write; diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index 04229ff6..dda81542 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -3,3 +3,4 @@ allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; dontaudit untrusted_app_all sysfs_vendor_sched:dir search; +dontaudit untrusted_app_all sysfs_vendor_sched:file write;