From 2d1650f4075db4f4f458de4c1a4cb5869c44b936 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 24 Oct 2014 14:25:49 -0700
Subject: [PATCH] allow system_server to set kernel scheduling priority

Addresses the following denial:

  avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855
---
 system_server.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system_server.te b/system_server.te
index fcec400b1..5786c2ee0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -76,6 +76,10 @@ allow system_server self:netlink_route_socket nlmsg_write;
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow system_server kernel:process setsched;
+
 # Set scheduling info for apps.
 allow system_server appdomain:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
-- 
GitLab