Skip to content
Snippets Groups Projects
Commit 48c1f613 authored by dcashman's avatar dcashman
Browse files

Allow system_app to find all system services. 

SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

(cherry-pick of commit: bf0c34d5)

Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8
parent 20d0ad0e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 7 deletions
system_app.te
+ 1
7
View file @ 48c1f613
...@@ -48,13 +48,7 @@ allow system_app anr_data_file:file create_file_perms; ...@@ -48,13 +48,7 @@ allow system_app anr_data_file:file create_file_perms;
allow system_app asec_apk_file:file r_file_perms; allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list; allow system_app servicemanager:service_manager list;
allow system_app mediaserver_service:service_manager find; allow system_app service_manager_type:service_manager find;
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
allow system_app keystore:keystore_key { allow system_app keystore:keystore_key {
get_state get_state
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment