-----Original Message-----
From: Stephen Smalley [mailto:[email protected]]
Sent: Friday, May 27, 2016 6:58 PM
To: Inamdar Sharif; [email protected]
Subject: Re: tracefs avc denial on k4.4
On 05/27/2016 06:01 AM, Inamdar Sharif wrote:
>> Hi Guys,
>>
>>
>>
>> I am getting the following avc denial for tracefs on kernel 4.4
>>
>>
>>
>> avc: denied { search } for pid=285 comm="zygote" name="/" dev="tracefs"
>> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0
>> tclass=dir
>> permissive=0
>>
>> avc: denied { search } for pid=476 comm="dex2oat" name="/" dev="tracefs"
>> ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0
>> tclass=dir
>> permissive=0
>>
>> avc: denied { search } for pid=282 comm="zygote64" name="/"
>> dev="tracefs" ino=1 scontext=u:r:zygote:s0
>> tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0
>>
>>
>>
>> I am using Android M release branch for external/sepolicy and
>> android-4.4 for kernel/common
>>
>>
>>
>> I know I am missing changes in external/sepolicy like
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/44826cb5e4
>> b20e0f7b7bfa72f64767e5fcc4f253%5E!/
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/fe12b61642
>> a0013e04848b399e59d310926c796f%5E!/
>>
>> https://android.googlesource.com/platform/system/sepolicy/+/4dafa72ac9
> >2a44089cae078c8c676eb3cedc226e
>>
> >
>>
> >All these changes are present in Android N.
>>
>> But going from Android M to Android N there are lot many changes. Also
> >these changes have dependencies.
>>
> >
>>
>> Is there any proper way to get rid of these denials??
>
>I take it you don't want to try cherry-picking the above policy changes and
>their dependencies, including the corresponding change to system/core?
>
I am ready to take cherry-pick the changes(4-5 changes are fine) but if there
are 40 -50 odd changes it will be difficult. If I take half of certain commit
that would not be fine.
For example ,
domain_deprecated.te changes is not present in Android M
As I mentioned previously Android M branches don’t have these patches.
I am using Android M and K4.4.
>In that case, the simplest fix for Android M would be to just add the
>following to external/sepolicy/genfs_contexts:
>genfscon tracefs / u:object_r:debugfs:s0
>
>Then tracefs will be treated the same as debugfs from a policy point of view
>and nothing else changes. However, understand that this will not provide you
>with any protection benefit since it will leave debugfs writable by all
>domains.
>
I am thinking of adding just the relevant changes in device specific policies
and then can remove them once Android N comes in.
Thanks.
-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain
confidential information. Any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recipient, please contact the
sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
