Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Blame Permalink
  • Nick Kralevich's avatar
    61dc3507
    app.te: allow getopt/getattr on zygote socket · 61dc3507
    Nick Kralevich authored 
    The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9
    61dc3507
    History
    app.te: allow getopt/getattr on zygote socket
    Nick Kralevich authored 
    The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9