From 5c76e0c1f3166a61c6cdd6ff5480a1c361d6a562 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Mon, 8 Mar 2021 16:35:50 +0800 Subject: [PATCH] trusty_apploader: Fix avc errors Fix the following avc denials: trusty_apploade: type=1400 audit(0.0:3): avc: denied { read } for name="system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 trusty_apploade: type=1400 audit(0.0:4): avc: denied { open } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 trusty_apploade: type=1400 audit(0.0:5): avc: denied { ioctl } for path="/dev/dma_heap/system" dev="tmpfs" ino=713 ioctlcmd=0x4800 scontext=u:r:trusty_apploader:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 Bug: 180874342 Test: Verify no avc denied when trusty app is loaded. Change-Id: Idbd850580220a1cb85a221d769d741f63cd8751f --- whitechapel/vendor/google/trusty_apploader.te | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel/vendor/google/trusty_apploader.te b/whitechapel/vendor/google/trusty_apploader.te index b3f91794..983e3a03 100644 --- a/whitechapel/vendor/google/trusty_apploader.te +++ b/whitechapel/vendor/google/trusty_apploader.te @@ -4,3 +4,4 @@ init_daemon_domain(trusty_apploader) allow trusty_apploader ion_device:chr_file r_file_perms; allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms;