diff options
author | Alistair Strachan <astrachan@google.com> | 2019-05-16 10:33:23 -0700 |
---|---|---|
committer | Alistair Strachan <astrachan@google.com> | 2019-05-17 00:26:37 +0000 |
commit | 37eeaac418f33598dd4ff8b61fae3c55b50818c6 (patch) | |
tree | 25a1e11bc6a402459ebe34bf3ecf9e81f5b37667 | |
parent | 343082afb855cc2624365b7c0a444e0d6773ede8 (diff) | |
download | cuttlefish-37eeaac418f33598dd4ff8b61fae3c55b50818c6.tar.gz |
Add more sepolicy for cgroup/cpusets
After enabling cgroup/cpusets in the cuttlefish kernel, these new
denials have popped up. Fix them.
Bug: 128336318
Change-Id: I0dfebebea518261659824c595ea9609c954d64ad
Merged-In: I0dfebebea518261659824c595ea9609c954d64ad
-rw-r--r-- | shared/sepolicy/bug_map | 1 | ||||
-rw-r--r-- | shared/sepolicy/gceservice.te | 3 |
2 files changed, 4 insertions, 0 deletions
diff --git a/shared/sepolicy/bug_map b/shared/sepolicy/bug_map index 1adf764b0..74341aa10 100644 --- a/shared/sepolicy/bug_map +++ b/shared/sepolicy/bug_map @@ -3,6 +3,7 @@ installd device file 128336318 kernel device blk_file 130468851 kernel kernel system 130424539 lmkd device file 128336318 +logpersist logpersist capability 132911257 netd device file 128336318 shell adbd vsock_socket 131904985 storaged device file 128336318 diff --git a/shared/sepolicy/gceservice.te b/shared/sepolicy/gceservice.te index 488130943..b6f84be7c 100644 --- a/shared/sepolicy/gceservice.te +++ b/shared/sepolicy/gceservice.te @@ -24,3 +24,6 @@ allow gceservice tombstone_data_file:file getattr; # started before Android init and thus before SELinux rule are applied. # TODO(b/65049764): Update once GCE metadata proxy is moved outside of the emulator or gets labelled allow gceservice kernel:unix_stream_socket connectto; + +# gceservice writes to /dev/stune/foreground/tasks +allow gceservice cgroup:file w_file_perms; |