Skip to content
Snippets Groups Projects
Commit b50db946 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

init.te: allow creating kernel audit entries 

Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.

Test: "setprop asdf asdf" from the unprivileged adb shell user
      generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
parent cdbb19f1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 6 additions and 0 deletions
public/init.te
+ 6
0
View file @ b50db946
...@@ -277,6 +277,12 @@ allow init property_data_file:file create_file_perms; ...@@ -277,6 +277,12 @@ allow init property_data_file:file create_file_perms;
# Set any property. # Set any property.
allow init property_type:property_service set; allow init property_type:property_service set;
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:capability audit_write;
# Run "ifup lo" to bring up the localhost interface # Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl }; allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs: # in addition to unpriv ioctls granted to all domains, init also needs:
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment