On 05/27/2016 09:28 AM, Stephen Smalley wrote:
> On 05/27/2016 06:01 AM, Inamdar Sharif wrote:
>> Hi Guys,
>>
>>
>>
>> I am getting the following avc denial for tracefs on kernel 4.4
>>
>>
>>
>> avc: denied { search } for pid=285 comm="zygote" name="/" dev="tracefs"
>> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
>> permissive=0
>>
>> avc: denied { search } for pid=476 comm="dex2oat" name="/" dev="tracefs"
>> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
>> permissive=0
>>
>> avc: denied { search } for pid=282 comm="zygote64" name="/"
>> dev="tracefs" ino=1 scontext=u:r:zygote:s0
>> tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0
>>
>>
>>
>> I am using Android M release branch for external/sepolicy and
>> android-4.4 for kernel/common
>>
>>
>>
>> I know I am missing changes in external/sepolicy like
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253%5E!/
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/fe12b61642a0013e04848b399e59d310926c796f%5E!/
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/4dafa72ac92a44089cae078c8c676eb3cedc226e
>>
>>
>>
>> All these changes are present in Android N.
>>
>> But going from Android M to Android N there are lot many changes. Also
>> these changes have dependencies.
>>
>>
>>
>> Is there any proper way to get rid of these denials??
>
> I take it you don't want to try cherry-picking the above policy changes
> and their dependencies, including the corresponding change to system/core?
>
> In that case, the simplest fix for Android M would be to just add the
> following to external/sepolicy/genfs_contexts:
> genfscon tracefs / u:object_r:debugfs:s0
>
> Then tracefs will be treated the same as debugfs from a policy point of
> view and nothing else changes. However, understand that this will not
> provide you with any protection benefit since it will leave debugfs
> writable by all domains.
One question I had was whether Android even needs to mount debugfs if
tracefs is available. Could just mount a tmpfs on /sys/kernel/debug,
mkdir /sys/kernel/debug/tracing, and then mount tracefs there if you
need to keep the same mount point location. Then debugfs wouldn't be
exposed at all to userspace, which would be a good thing IMHO. Does
Android really use debugfs files outside of the tracing directory?
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
