ioctlcmd=7704 denied on unix_stream_socket for surfaceflinger and system_server domain

Tue, 12 Jul 2016 20:43:38 -0700 

Hi, All

When I update to use tag android-6.0.1_r55, I got following avc denials
during the boot up:

avc: denied { ioctl } for pid=177 comm="Binder_2" path="socket:[10083]"
dev="sockfs" ino=10083 ioctlcmd=7704 scontext=u:r:surfaceflinger:s0
tcontext=u:r:surfaceflinger:s0 tclass=unix_stream_socket permissive=0

and
avc: denied { ioctl } for pid=465 comm="Binder_1" path="socket:[14454]"
dev="sockfs" ino=14454 ioctlcmd=7704 scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0


With following rules I can make the denials disappeared:
11:29:17 liuyq: hikey$ git diff --staged
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
new file mode 100644
index 0000000..398976c
--- /dev/null
+++ b/sepolicy/ioctl_macros
@@ -0,0 +1 @@
+define(`IOCTLTEST', `0x00007704')
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..7c337a9
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1 @@
+allow surfaceflinger surfaceflinger:unix_stream_socket { IOCTLTEST };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..218a8a2
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1 @@
+allow system_server system_server:unix_stream_socket { IOCTLTEST };
11:29:19 liuyq: hikey$


but how should I find the real name for the ioctlcmd=7704?
searched in kernel, and found 7704 is defined ad following:
kernel/linaro/hisilicon/drivers/gpu/drm/radeon/r600d.h:1219:#define
HDMI1_STATUS                 0x7704

but it does not seem to be used for ioctl command.

-- 
Best Regards,
Yongqin Liu
---------------------------------------------------------------
#mailing list
linaro-andr...@lists.linaro.org <linaro-...@lists.linaro.org>
http://lists.linaro.org/mailman/listinfo/linaro-android

_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Reply via email to