-
Nick Kralevich authoredexternal/sepolicy commit 99940d1a (https://android-review.googlesource.com/123331) removed /proc/net access from domain.te. Around the same time, system/core commit 9a20e67fa62c1e0e0080910deec4be82ebecc922 (https://android-review.googlesource.com/123531) was checked in. This change added libnl as a dependency of libsysutils. external/libnl/lib/utils.c has a function called get_psched_settings(), which is annotated with __attribute__((constructor)). This code gets executed when the library is loaded, regardless of whether or not other libnl code is executed. By adding the libnl dependency, even code which doesn't use the network (such as vold and logd) ends up accessing /proc/net/psched. For now, allow this behavior. However, in the future, it would be better to break this dependency so the additional code isn't loaded into processes which don't need it. Addresses the following denials: avc: denied { read } for pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bug: 19079006 Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf
Nick Kralevich authoredexternal/sepolicy commit 99940d1a (https://android-review.googlesource.com/123331) removed /proc/net access from domain.te. Around the same time, system/core commit 9a20e67fa62c1e0e0080910deec4be82ebecc922 (https://android-review.googlesource.com/123531) was checked in. This change added libnl as a dependency of libsysutils. external/libnl/lib/utils.c has a function called get_psched_settings(), which is annotated with __attribute__((constructor)). This code gets executed when the library is loaded, regardless of whether or not other libnl code is executed. By adding the libnl dependency, even code which doesn't use the network (such as vold and logd) ends up accessing /proc/net/psched. For now, allow this behavior. However, in the future, it would be better to break this dependency so the additional code isn't loaded into processes which don't need it. Addresses the following denials: avc: denied { read } for pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Bug: 19079006 Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf