Label device-specific sysfs net nodes

avc: denied { write } for name="mtu" dev="sysfs" ino=10779 scontext=u:r:netd:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 netd hits this denial by following this symlink qemu: /sys/class/net/rmnet0 -> /sys/devices/pci0000:00/0000:00:0a.0/virtio8/net/rmnet0 crosvm: /sys/class/net/rmnet0 -> /sys/devices/pci0000:00/0000:00:0c.0/virtio11/net/rmnet0 Bug: 129497117 Test: boot cuttlefish without above denial Change-Id: I08508b22c4e6e3bf86f2c22b1187a3a6d40c89b5 Merged-In: I08508b22c4e6e3bf86f2c22b1187a3a6d40c89b5 (cherry picked from commit 3f84caf090ea81df166a358f32a3d630cbf9aba6)
author: Tri Vo <trong@google.com> 2019-04-13 16:55:41 -0700
committer: Maciej Zenczykowski <maze@google.com> 2019-05-03 18:11:57 +0000
commit: fe2d84114f9a673af7dedeaf1c626006e91d74d8 (patch)
tree: 6971d10b917dbfc5dedf42e8db3c822089bb8a34
parent: e8531d1605f852142d0558737350435304743944 (diff)
download: cuttlefish-fe2d84114f9a673af7dedeaf1c626006e91d74d8.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/shared/sepolicy/genfs_contexts b/shared/sepolicy/genfs_contexts
index 1abaa6a3b..70bde1022 100644
--- a/shared/sepolicy/genfs_contexts
+++ b/shared/sepolicy/genfs_contexts
@@ -1 +1,3 @@
 genfscon sysfs /devices/pnp0/00:00/rtc  u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0a.0/virtio8/net u:object_r:sysfs_net:s0 # qemu
+genfscon sysfs /devices/pci0000:00/0000:00:0c.0/virtio11/net u:object_r:sysfs_net:s0 # crosvm
author	Tri Vo <trong@google.com>	2019-04-13 16:55:41 -0700
committer	Maciej Zenczykowski <maze@google.com>	2019-05-03 18:11:57 +0000
commit	fe2d84114f9a673af7dedeaf1c626006e91d74d8 (patch)
tree	6971d10b917dbfc5dedf42e8db3c822089bb8a34
parent	e8531d1605f852142d0558737350435304743944 (diff)
download	cuttlefish-fe2d84114f9a673af7dedeaf1c626006e91d74d8.tar.gz