diff options
author | Jeff Vander Stoep <jeffv@google.com> | 2015-08-28 09:01:46 -0700 |
---|---|---|
committer | Jeff Vander Stoep <jeffv@google.com> | 2015-08-28 09:48:18 -0700 |
commit | 53c701d91550035f5bc8384f4622f0a3aa9f86bc (patch) | |
tree | 8b7766500f11e5c4f1279258b4a77f71ba238e85 /sepolicy | |
parent | 7bdcefcfdbbe85cd9c502acd95920340e26294b3 (diff) | |
download | bullhead-53c701d91550035f5bc8384f4622f0a3aa9f86bc.tar.gz |
sepolicy: address fingerprintd denials
Allow
avc: denied { search } for comm="fingerprintd" name="/" dev="mmcblk0p24" ino=2 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0
Dir search denials typically precedes file access denials. Temporarily
put fingerprintd into permissive to collect additional denials.
Bug: 23617307
Change-Id: I6489629437beed9f45bc1b32c1501af236f0f952
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/fingerprintd.te | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te index 86921a2..24d6e63 100644 --- a/sepolicy/fingerprintd.te +++ b/sepolicy/fingerprintd.te @@ -1,3 +1,6 @@ +# STOPSHIP: all domains must be in enforcing mode. +permissive fingerprintd; + binder_service(fingerprintd) # Access to /dev/tee @@ -10,3 +13,6 @@ allow fingerprintd input_device:chr_file r_file_perms; # read clk_enable and wakeup_enable in /sys/devices/soc.0/f9966000.spi_fpc/ allow fingerprintd sysfs_devices_fingerprint:dir r_dir_perms; allow fingerprintd sysfs_devices_fingerprint:file rw_file_perms; + +# allow access to /persist +allow fingerprintd persist_file:dir search; |