diff options
| author | Andrew Chant <achant@google.com> | 2021-05-17 09:24:56 -0700 |
|---|---|---|
| committer | Andrew Chant <achant@google.com> | 2021-05-17 18:24:00 -0700 |
| commit | a2e1acc9c396fcc09144d53acfd92ba4b1d9ef62 (patch) | |
| tree | e31d42550e11e56b236cb5b2fb44f69e7f7d6c90 | |
| parent | 9e1f66d5b5582ac8e67215cd9479fb18264585b2 (diff) | |
| download | pixel-sepolicy-a2e1acc9c396fcc09144d53acfd92ba4b1d9ef62.tar.gz | |
rebalance_interrupts sepolicy
Add rebalance_interrupts sepolicy to allow
rebalance_interrupts to modify smp_affinity for IRQs.
Example denials w/o this:
[ 43.144107] type=1400 audit(1621271039.800:58): avc: denied { read } for comm="rebalance_inter" name="irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[ 43.144306] type=1400 audit(1621271039.800:59): avc: denied { open } for comm="rebalance_inter" path="/sys/kernel/irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[ 43.144452] type=1400 audit(1621271039.800:60): avc: denied { search } for comm="rebalance_inter" name="irq" dev="sysfs" ino=15875 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:sysfs_irq:s0 tclass=dir permissive=1
[ 43.159532] type=1400 audit(1621271039.816:61): avc: denied { search } for comm="rebalance_inter" name="irq" dev="proc" ino=4026531868 scontext=u:r:rebalance_interrupts_vendor:s0 tcontext=u:object_r:proc_irq:s0 tclass=dir permissive=1
Bug: 148403062
Change-Id: I0cf7e163d8436f428a53bbb96ff2949753004ac1
| -rw-r--r-- | rebalance_interrupts/file.te | 2 | ||||
| -rw-r--r-- | rebalance_interrupts/file_contexts | 2 | ||||
| -rw-r--r-- | rebalance_interrupts/genfs_contexts | 2 | ||||
| -rw-r--r-- | rebalance_interrupts/rebalance_interrupts.te | 10 |
4 files changed, 16 insertions, 0 deletions
diff --git a/rebalance_interrupts/file.te b/rebalance_interrupts/file.te new file mode 100644 index 0000000..4b8bd35 --- /dev/null +++ b/rebalance_interrupts/file.te @@ -0,0 +1,2 @@ +type sysfs_irq, fs_type, sysfs_type; +type proc_irq, fs_type, proc_type; diff --git a/rebalance_interrupts/file_contexts b/rebalance_interrupts/file_contexts new file mode 100644 index 0000000..bb25b5c --- /dev/null +++ b/rebalance_interrupts/file_contexts @@ -0,0 +1,2 @@ +/vendor/bin/rebalance_interrupts-vendor u:object_r:rebalance_interrupts_vendor_exec:s0 + diff --git a/rebalance_interrupts/genfs_contexts b/rebalance_interrupts/genfs_contexts new file mode 100644 index 0000000..fc264b5 --- /dev/null +++ b/rebalance_interrupts/genfs_contexts @@ -0,0 +1,2 @@ +genfscon sysfs /kernel/irq u:object_r:sysfs_irq:s0 +genfscon proc /irq u:object_r:proc_irq:s0 diff --git a/rebalance_interrupts/rebalance_interrupts.te b/rebalance_interrupts/rebalance_interrupts.te new file mode 100644 index 0000000..668a696 --- /dev/null +++ b/rebalance_interrupts/rebalance_interrupts.te @@ -0,0 +1,10 @@ +# rebalance_interrupts vendor +type rebalance_interrupts_vendor, domain; + +type rebalance_interrupts_vendor_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(rebalance_interrupts_vendor) + +allow rebalance_interrupts_vendor sysfs_irq:dir r_dir_perms; +allow rebalance_interrupts_vendor sysfs_irq:file r_file_perms; +allow rebalance_interrupts_vendor proc_irq:dir r_dir_perms; +allow rebalance_interrupts_vendor proc_irq:file rw_file_perms; |