-
Stephen Smalley authoredThis resolves denials such as: type=1400 audit(7803852.559:251): avc: denied { getattr } for pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file (triggered on an art crash seen in recent AOSP master) Rather than just adding this permission individually, just rewrite the existing rule to use the rx_file_perms macro. We already allowed most of these permissions by way of the domain_auto_trans() rule via init_daemon_domain() and the rule for the --invoke-with support. Using macros helps reduce policy fragility/brittleness. Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredThis resolves denials such as: type=1400 audit(7803852.559:251): avc: denied { getattr } for pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file (triggered on an art crash seen in recent AOSP master) Rather than just adding this permission individually, just rewrite the existing rule to use the rx_file_perms macro. We already allowed most of these permissions by way of the domain_auto_trans() rule via init_daemon_domain() and the rule for the --invoke-with support. Using macros helps reduce policy fragility/brittleness. Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>