Skip to content
Snippets Groups Projects
Commit cd14eb44 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Revert "allow system_server to set kernel scheduling priority"

Periodically, SELinux denials of the form:

  type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

are being generated. These denials come from system_server and other
processes. There's no reason why system_server should be calling
sched_setscheduler() on a kernel thread.

Current belief is that these SELinux denials are a bug in the kernel,
and are being inappropriately triggered.

Revert 2d1650f4. The original reason
for accepting this change was to see if it would fix bug 18085992.
Unfortunately, even after the commit, the bug was still present.
The change had no impact on the bug.

Don't inappropriately grant system_server the ability to minipulate
the scheduling priority of kernel threads.

This reverts commit 2d1650f4.

Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8
parent 2e0cd5ad
No related branches found
No related tags found
No related merge requests found
......@@ -75,10 +75,6 @@ allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
allow system_server appdomain:process { sigkill signal };
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow system_server kernel:process setsched;
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment