cbd: Fix avc errors

avc: denied { setuid } for comm="cbd" capability=7 scontext=u:r:cbd:s0 tcontext=u:r:cbd:s0 tclass=capability permissive=1 avc: denied { search } for comm="cbd" name="vendor" dev="tmpfs" ino=2 scontext=u:r:cbd:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=1 Bug: 178331928 Bug: 171267363 Change-Id: Icf28f494f05ee386ce94213929926369f2775173
2021-03-10 14:31:55 +08:00 · 2021-03-10 14:31:55 +08:00 · 6247ff69b2
commit 6247ff69b2
parent 7edb7e30c4
2 changed files with 6 additions and 8 deletions
--- a/tracking_denials/cbd.te
+++ b/tracking_denials/cbd.te
@ -1,8 +1,3 @@
 # b/171267363
 dontaudit cbd cbd:capability {setuid };
 # b/178331928
 dontaudit cbd mnt_vendor_file:dir { search };
 dontaudit cbd mnt_vendor_file:dir { search };
 # b/178979986
 dontaudit cbd unlabeled:dir { getattr };
 dontaudit cbd unlabeled:file { open };
@ -19,6 +14,3 @@ dontaudit cbd unlabeled:file { open };
 # b/179198083
 dontaudit cbd unlabeled:file { ioctl };
 dontaudit cbd unlabeled:file { ioctl };
 # b/182219008
 dontaudit cbd persist_file:dir { search };
 dontaudit cbd persist_file:dir { search };
--- a/whitechapel/vendor/google/cbd.te
+++ b/whitechapel/vendor/google/cbd.te
@ -6,6 +6,12 @@ set_prop(cbd, vendor_modem_prop)
 set_prop(cbd, vendor_cbd_prop)
 set_prop(cbd, vendor_rild_prop)
 # Allow cbd to setuid from root to radio
 # TODO: confirming with vendor via b/182334947
 allow cbd self:capability { setgid setuid };
 allow cbd mnt_vendor_file:dir r_dir_perms;
 allow cbd kmsg_device:chr_file rw_file_perms;
 allow cbd vendor_shell_exec:file execute_no_trans;