Anonymous committed 63b98b1

restore system_server zygote socket rules

1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt
support for system_server, which is needed to close the zygote socket.
See b/12061011 for details.

system_server still needs this rule, and it's expected to stay
permanently. Restore the rule and remove the comment about it eventually
being deleted.

Addresses the following denials:

<5>[ 86.307639] type=1400 audit(1393376281.530:5): avc: denied { getattr } for pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
<5>[ 86.307945] type=1400 audit(1393376281.530:6): avc: denied { getopt } for pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12114500
Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d

  • Participants
  • Parent commits f197f8c

Comments (0)

Files changed (1)

File system_server.te

 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.