Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 36a76ec0 authored Dec 10, 2015 by Miroslav Tisma

sepolicy: Fix 'avc denied' issues for the emulators



This commit fixes the avc denied issues in the emulators:
- goldfish_setup is granted for network access
- netd dontaudit for sys_module
- qemu_prop is granted domain for get_prop

Critical issue was that SELinux denied reading the lcd_density property
by SurfaceFlinger via qemu_prop and this commit fixes it.

Change-Id: I633d96f4d2ee6659f18482a53e21f816abde2a5f
Signed-off-by: Miroslav Tisma <miroslav.tisma@imgtec.com>

parent 6950168f

target/board/generic/sepolicy/domain.te

+2 −0

Original line number	Diff line number	Diff line
		# For /sys/qemu_trace files in the emulator.
		allow domain sysfs_writable:file rw_file_perms;
		allow domain qemu_device:chr_file rw_file_perms;

		get_prop(domain, qemu_prop)

target/board/generic/sepolicy/goldfish_setup.te

+2 −0

Original line number	Diff line number	Diff line
		@@ -13,6 +13,8 @@ allow goldfish_setup toolbox_exec:file rx_file_perms;
		allow goldfish_setup self:capability { net_admin net_raw };
		allow goldfish_setup self:udp_socket create_socket_perms;

		net_domain(goldfish_setup)

		# Set net.eth0.dns*, debug.sf.nobootanimation
		set_prop(goldfish_setup, system_prop)
		set_prop(goldfish_setup, debug_prop)

target/board/generic/sepolicy/netd.te

0 → 100644

+1 −0

Original line number	Diff line number	Diff line
		dontaudit netd self:capability sys_module;