Skip to content
Snippets Groups Projects
Commit 3753c816 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

vold: allow wakelocks, fsck logs 

When encrypting a device, vold tries to acquire a wake lock,
to prevent the device from sleeping. Add an allow rule.

After booting with a freshly encrypted device, fsck logs data to
/dev/fscklogs/log . Add an allow rule.

Addresses the following denials.

wake lock:

<5>[  372.401015] type=1400 audit(1387488823.195:6): avc:  denied  { read write } for  pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
<5>[  127.274556] type=1400 audit(1387494536.080:8): avc:  denied  { open } for  pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

fsck logging:

<5>[   44.759122] type=1400 audit(1387489522.460:6): avc:  denied  { search } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.559964] type=1400 audit(1387495221.265:6): avc:  denied  { write } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560081] type=1400 audit(1387495221.265:7): avc:  denied  { add_name } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560244] type=1400 audit(1387495221.265:8): avc:  denied  { create } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.560383] type=1400 audit(1387495221.265:9): avc:  denied  { write open } for  pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.582520] type=1400 audit(1387495221.285:10): avc:  denied  { getattr } for  pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file

Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5
parent 13e44ec7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 0 deletions
vold.te
+ 8
0
View file @ 3753c816
......@@ -38,6 +38,10 @@ allow vold sysfs:file rw_file_perms;
write_klog(vold)
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
#
# Rules to support encrypted fs support.
#
......@@ -69,3 +73,7 @@ allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr };
allow vold asec_apk_file:file { r_file_perms setattr };
# Handle wake locks (used for device encryption)
allow vold sysfs_wake_lock:file rw_file_perms;
allow vold self:capability2 block_suspend;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment