On 05/27/2016 06:01 AM, Inamdar Sharif wrote:
> Hi Guys,
>
>
>
> I am getting the following avc denial for tracefs on kernel 4.4
>
>
>
> avc: denied { search } for pid=285 comm="zygote" name="/" dev="tracefs"
> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
> permissive=0
>
> avc: denied { search } for pid=476 comm="dex2oat" name="/" dev="tracefs"
> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
> permissive=0
>
> avc: denied { search } for pid=282 comm="zygote64" name="/"
> dev="tracefs" ino=1 scontext=u:r:zygote:s0
> tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0
>
>
>
> I am using Android M release branch for external/sepolicy and
> android-4.4 for kernel/common
>
>
>
> I know I am missing changes in external/sepolicy like
>
> https://android.googlesource.com/platform/system/sepolicy/+/44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253%5E!/
>
> https://android.googlesource.com/platform/system/sepolicy/+/fe12b61642a0013e04848b399e59d310926c796f%5E!/
>
> https://android.googlesource.com/platform/system/sepolicy/+/4dafa72ac92a44089cae078c8c676eb3cedc226e
>
>
>
> All these changes are present in Android N.
>
> But going from Android M to Android N there are lot many changes. Also
> these changes have dependencies.
>
>
>
> Is there any proper way to get rid of these denials??
I take it you don't want to try cherry-picking the above policy changes
and their dependencies, including the corresponding change to system/core?
In that case, the simplest fix for Android M would be to just add the
following to external/sepolicy/genfs_contexts:
genfscon tracefs / u:object_r:debugfs:s0
Then tracefs will be treated the same as debugfs from a policy point of
view and nothing else changes. However, understand that this will not
provide you with any protection benefit since it will leave debugfs
writable by all domains.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
