Skip to content
Snippets Groups Projects
Commit 1af60916 authored by dcashman's avatar dcashman
Browse files

Remove appdomain sysfs auditallow. 

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

(cherry-pick from commit: 0b80f4dc)

Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a
parent 8f5a891f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 4 deletions
app.te
+ 0
4
View file @ 1af60916
...@@ -229,10 +229,6 @@ allow appdomain runas_exec:file getattr; ...@@ -229,10 +229,6 @@ allow appdomain runas_exec:file getattr;
selinux_check_access(appdomain) selinux_check_access(appdomain)
selinux_check_context(appdomain) selinux_check_context(appdomain)
# appdomain should not be accessing information on /sys
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:dir { open getattr read ioctl };
auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
# Apps receive an open tun fd from the framework for # Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device # device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment